November Happy Hour will be moved to Thursday December 5th.
AI OnAI Off
Infinite redirects loop on logout with OpenIdConnect/Auth0
If you debug while logging out, can you see if a logout request is sent to Auth0 at all?
What cookies exist when logging out?
Edited,
Jun 04, 2018 4:47
The breakpoints never get hit when I try to debug after logout, though the cookies are removed, all of them, and if I go to a page that requires authentication I'm getting redirected to the loginpage again which is correct, so I do actually gets logged out, but the issue remains that I'm getting stuck in the redirect loop. That leaves me with the PostLogoutRedirectUri property, which I've just set to the startpage(http://localhost:44444), which should only redirect me to the startpage, am still confused what is causing the loop.
Jun 05, 2018 11:06
You should do something like this in the app.Map(LogoutPath):
map.Run(ctx =>
{
ctx.Authentication.SignOut();
var response = HttpContext.Current.Response;
response.Redirect(string.Format("https://yo-accnt.eu.auth0.com/v2/logout?returnTo={0}", SiteDefinition.Current.SiteUrl));
return Task.FromResult(0);
});
Jun 09, 2018 0:13
In our project we are using OpenIdConnect to integrate with Auth0 for federated login, and got stuck on the logout part.
We are running with EPiServer 11.3.3 and using IIS.
We've based our code upon this docs:
https://world.episerver.com/documentation/developer-guides/CMS/security/integrate-azure-ad-using-openid-connect/
The code looks as follows for the configuration in startup.cs:
public void Configuration(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = aadInstance,
Scope = "openid serialNumber AuthenticationMethod",
ResponseType = OpenIdConnectResponseTypes.IdToken,
PostLogoutRedirectUri = postLogoutRedirectUri,
RedirectUri = ConfigurationManager.AppSettings["DomainUrl"]
TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
RoleClaimType = ClaimTypes.Role
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = context =>
{
context.HandleResponse();
context.Response.Write(context.Exception.Message);
return Task.FromResult(0);
},
RedirectToIdentityProvider = context =>
{
// To avoid a redirect loop to the federation server send 403
// when user is authenticated but does not have access
if (context.OwinContext.Response.StatusCode == 401 &&
context.OwinContext.Authentication.User.Identity.IsAuthenticated)
{
context.OwinContext.Response.StatusCode = 403;
context.HandleResponse();
}
return Task.FromResult(0);
},
SecurityTokenValidated = (ctx) =>
{
var redirectUri = new Uri(ctx.AuthenticationTicket.Properties.RedirectUri, UriKind.RelativeOrAbsolute);
if (redirectUri.IsAbsoluteUri)
{
ctx.AuthenticationTicket.Properties.RedirectUri = redirectUri.PathAndQuery;
}
ctx.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Name, "MyTestUser"));
ctx.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Role, "CmsEditors"));
ctx.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Role, "CmsAdmins"));
ctx.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Role, "WebEditors"));
ctx.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Role, "WebAdmins"));
//Sync user and the roles to EPiServer in the background().
ServiceLocator.Current.GetInstance
SynchronizeAsync(ctx.AuthenticationTicket.Identity);
return Task.FromResult(0);
}
}
});
app.UseStageMarker(PipelineStage.Authenticate);
app.Map(LogoutPath, map =>
{
map.Run(ctx =>
{
ctx.Authentication.SignOut();
return Task.FromResult(0);
});
});
}
Which would be pretty much the same as the default code, when we link to the LogoutPath we got the error "ERR_TOO_MANY_REDIRECTS" in the browser, and the url looks like this:
http://localhost:44444/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A44444&x-client-SKU=ID_NET451&x-client-ver=5.2.1.0
The error may not be EPiServer related, but at the same time I can not rule it out either. Any advice what I'm missing here?
//J