Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

External Provider (AAD) Logout Loop #714

Closed
AksharX opened this issue Sep 29, 2020 · 4 comments
Closed

External Provider (AAD) Logout Loop #714

AksharX opened this issue Sep 29, 2020 · 4 comments
Assignees
@skoruba
Labels
bug report

Comments

@AksharX
Copy link

AksharX commented Sep 29, 2020

When logging with a Provider that supports Sign-out, we are running into an infinite loop of prompting logging in and logging out. I initiate a logout from my SPA. It does not show the logoutPrompt, it sees that the user is Authenticated so it signs out of Identity Server and the following is called:

await _signInManager.SignOutAsync();
await _events.RaiseAsync(new UserLogoutSuccessEvent(User.GetSubjectId(), User.GetDisplayName()));

It then triggers an External Signout with a redirectURI similiar to 'Account/Logout/?LogoutId=####'. The page is redirected to the external provider and I get logged out of the Provider. It then tries to redirect me the generated redirect uri, however since we have already signed out of ID4, the get request redirects me to login 'Account/Login/?redirectUri=Account/Logout/?LogoutId=####''. Which then starts the the cycle again.

I have "fixed" the issue by inserting the [AllowAnonymous] attribute on the method Logout(string logoutId) method in the controller AccountController.cs. After adding that attribute I was able to successfully logout without any loop.
@gzinger
Copy link

gzinger commented Sep 29, 2020
edited
Loading

Just to add to the point, in the following code:

...
[HttpGet]
public async Task<IActionResult> Logout(string logoutId)
{

        // build a model so the logout page knows what to display
        var vm = await BuildLogoutViewModelAsync(logoutId);
        if (vm.ShowLogoutPrompt == false)
        {
            ...

the BuildLogoutViewModelAsync(logoutId) call checks if user exists. That check would not make any sense if we do not allow Anonymous users. So, the suggestion is to decorate this Logout method with [AllowAnonymous] attribute. @skoruba , please let us know if you agree or you see any drawbacks with this and we would make a PR.

@skoruba
Copy link
Owner

skoruba commented Sep 30, 2020

Hi guys,
Thanks for your reporting. I think it is similar issue which solved @zinkpad in #707 - I will test it and send back the feedback.

@skoruba
Copy link
Owner

skoruba commented Oct 12, 2020

Fixed in dev branch, it will be a part of 1.0.0.-RC4.

Thanks 👍

@skoruba skoruba mentioned this issue Oct 28, 2020
Merged
@skoruba
Copy link
Owner

skoruba commented Oct 28, 2020

Fixed on master.

@skoruba skoruba closed this as completed Oct 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@skoruba skoruba

Labels
bug report
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gzinger @AksharX @skoruba