Missing support for PostLogoutRedirectUri about identityserver4.wsfederation HOT 8 CLOSED

You'd have to change how that signout work to use the IdentityServer logoutpage design. Perhaps look at how the OIDC end session code handles it now and replicate that (in a PR perhaps)?

from identityserver4.wsfederation.

@brockallen - to be sure I understand what you are suggesting.
Alter the WsFederationController.ProcessSignOut method to not redirect to "connect/endsession", but instead "move the code" from that into ProcessSignOut and replace the use of EndSessionRequestValidator with a new WsFederationSignoutRequestValidator?

Alternative - hack it with IdentityServerTools.IssueJwtAsync(3600, new List { new Claim(JwtClaimTypes.Audience, clientId) }) and send that as id_token_hint?

from identityserver4.wsfederation.

Hi @pi3k14
Did you complete this scenario?

from identityserver4.wsfederation.

@iyhammad for now we are using the "alternative" version.
Injecting IdentityServerTools into WsFederationController

and alter the ProcessSignOut method to include
var hint = await _tools.IssueJwtAsync(3600, new List<Claim> { new Claim(JwtClaimTypes.Audience, realm) }); url = Url.Action("endsession", "connect", new { id_token_hint = hint, post_logout_redirect_uri = reply });
In our case we get the realm from SignOutRequestMessage and does a validation against Request.Headers["Referer"], in addition there should be a check against _userSession.GetClientListAsync();

But we haven't drawn up a general solution (yet).

from identityserver4.wsfederation.

I tried this but I got these errors in the log

DEBUG 2018-08-01 11:17:18,339 [7    ] tityServer4.Endpoints.EndSessionEndpoint - Processing signout request for 2
DEBUG 2018-08-01 11:17:18,346 [7    ] r4.Validation.EndSessionRequestValidator - Start end session request validation
DEBUG 2018-08-01 11:17:18,353 [7    ] dentityServer4.Validation.TokenValidator - Start identity token validation
ERROR 2018-08-01 11:17:18,371 [7    ] dentityServer4.Validation.TokenValidator - No clientId supplied, can't find id in identity token.
INFO  2018-08-01 11:17:18,378 [7    ] r4.Validation.EndSessionRequestValidator - End session request validation failure: Error validating id token hint
{
  "SubjectId": "unknown",
  "Raw": {
    "id_token_hint": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjRDQThEMkJEQTMxOEIyN0IxNDVCRDAzMTY2NjQ5QUFBNkE1QTZFN0MiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJUS2pTdmFNWXNuc1VXOUF4Wm1TYXFtcGFibncifQ.eyJuYmYiOjE1MzMxMjIyMzgsImV4cCI6MTUzMzEyNTgzOCwiaXNzIjoiaHR0cDovL2tpdGRldnNwMjAxMzAxOjEyMzQ0IiwiSWRlbnRpdHlTZXJ2ZXIiOiJ1cm46c2hhcmVwb2ludCIsImNsaWVudGlkIjoidXJuOnNoYXJlcG9pbnQifQ.fm-A5jaHOI3YI29wlWSNo197Jcpdlf_71xp89edlka8CD_t3Jz10czJzeSMw2iMyZO5U-Lf_xOBM59q8k5S22vS9ww_BNW90_RrPL0O3fluG1kn_aOKxweWloK7Q5b3aqRGcWAnX0TE60m7CxMDXRrseGu9gUTg68PACK_r0ofXleUOLYxLXbdLCxg8ioSNSGkaZtGBQS8QAuisDMIbeB5q13BYl-B0-Lw1KYI8ABUZTGomwr59LpJUmW41TrG8WaXb8n1hzbBabttiLtRgnksyPiLsTyEyCgZQ9syyYAVc7l2THohBjrDWfET3gwqIuZu6i63Fh7bRSeJHIVLow48rRmtJrZTcGScmEPppjtMxefoSBsN3K6SCZ3U7jbIgkmDVGBWfDQkuG4Vfyk5q1LHNtqjLFf_JXsif88fWYxzOrtZIfzqGM2e48Jp4A4ijteWcirtdHZPyZ70vIaoybJxo0o9sACIuakB5Vnw10Rqk7ORRvk3J5AFv5bkKCooN9ZMVpNff9BnIAQwFlWkuDuFiQtUDpdZdUNzknRHuhsXELGJEI0luDuE17lpp-tulOFra8B_LGZU1gXdEp5IghW5X4vTCK9ek-4A--X1E48O9in4m0RtoPaY3MjDYGMbwtps6FkjmoZda_RqJUXKWRkJgEB_PTFFaxUX7ocJ30jEM",
    "post_logout_redirect_uri": "http://kitdevsp201301"
  }
}
ERROR 2018-08-01 11:17:18,380 [7    ] tityServer4.Endpoints.EndSessionEndpoint - Error processing end session request Invalid request
INFO  2018-08-01 11:17:18,386 [7    ] soft.AspNetCore.Hosting.Internal.WebHost - Request finished in 73.6363ms 302 

and logoutId is not being sent to the Controller/Logout after the endsession. Did you face this before?

from identityserver4.wsfederation.

@iyhammad - and you included Audience in the hint? Because from Idsrv4 code, that is what is causing this failure TokenValidator

from identityserver4.wsfederation.

@pi3k14 Thank you very much. I was adding it but in a wrong way.

from identityserver4.wsfederation.

Hi
The suggested solution to pass an id_token_hint from the WsfederationController with the wtrealm does not work when using IdentityServer as a claims provider in ADFS 2016. ADFS 2016 does not pass the wtrealm parameter to the claims provider on signout. I went back to my IdentityServer 3 claims provider in ADFS 2016 and this one handles the signout ok without the wtrealm parameter. Why does IdentityServer 4 require this? Is there another way to generate the id_token_hint? Perhaps with the suggested WsFederationSignoutRequestValidator? Will it be able to generate the id_token_hint without the wtrealm parameter?
thanks
Remco

from identityserver4.wsfederation.