/signout-oidc endpoint on ASP.NET WebForms client
See original GitHub issueI have an IdentityServer4 provider and I’m trying to connect an ASP.NET WebForms 4.5.2 client using OpenIdConnect 3.0.1. Everything works fine but I’m having a problem with /signout-oidc
endpoints on the WebForms client: it doesn’t seem to exist. I’m getting 404 error. Interestingly, /signin-oidc
does exist. I’m using same configuration for an ASP.NET Core client with the same OpenIdConnect 3.0.1 version and /signout-oidc
does work there. Am I doing something wrong?
Here’s the /connect/endsession/callback
and /signout-oidc
log from logout process using Fiddler:
GET /connect/endsession/callback?sid=5f5617803ca616c7cb247d2d30f178af&logoutId=1ea004139be63cfd7d088ef6ea1483be HTTP/1.1
HTTP/1.1 200 OK
Date: Mon, 03 Apr 2017 08:08:53 GMT
Content-Type: text/html; charset=UTF-8
Server: Kestrel
Cache-Control: no-store, no-cache, max-age=0
Pragma: no-cache
Set-Cookie: idsrv.ClientSessions.5f5617803ca616c7cb247d2d30f178af=.; expires=Sun, 03 Apr 2016 08:08:53 GMT; path=/; httponly
Set-Cookie: LogoutMessage.1ea004139be63cfd7d088ef6ea1483be=.; expires=Sun, 03 Apr 2016 08:08:53 GMT; path=/; httponly
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline' 'sha256-u+OupXgfekP+x/f6rMdoEAspPCYUtca912isERnoEjY=';frame-src http://localhost:9869
X-Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline' 'sha256-u+OupXgfekP+x/f6rMdoEAspPCYUtca912isERnoEjY=';frame-src http://localhost:9869
Content-Length: 223
<!DOCTYPE html><html><style>iframe{display:none;width:0;height:0;}</style><body><iframe src='http://localhost:9869/signout-oidc?sid=5f5617803ca616c7cb247d2d30f178af&iss=http%3A%2F%2Flocalhost%3A3027'></iframe></body></html>
GET /signout-oidc?sid=5f5617803ca616c7cb247d2d30f178af&iss=http%3A%2F%2Flocalhost%3A3027 HTTP/1.1
HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
X-SourceFiles: =?UTF-8?B?RDpcUHJvamVjdHNcS1lTVjNcU291cmNlXElkZW50aXR5LkF1dGhlbnRpY2F0aW9uXFRlc3RzXElkZW50aXR5LkF1dGhlbnRpY2F0aW9uLkNsaWVudC5XZWJGb3Jtc1xzaWdub3V0LW9pZGM=?=
X-Powered-By: ASP.NET
Date: Mon, 03 Apr 2017 08:08:53 GMT
Content-Length: 5089
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>IIS 10.0 Detailed Error - 404.0 - Not Found</title>
...
Issue Analytics
- State:
- Created 6 years ago
- Comments:12 (7 by maintainers)
Top Results From Across the Web
What should the LogoutUri be for a WebForms client using ...
I have an IdentityServer4 provider and I'm trying to connect an ASP.NET WebForms client to it using OIDC authentication. Everything is fine ...
Read more >Web app that signs in users: Sign-in and sign-out
Sets an OpenID redirect URI to /Account/SignedOut so that the controller is called back when Azure AD has completed the sign-out. Calls Signout...
Read more >Logout does not seem to be working correctly
The setup is that the API is using OpenIddict, and the client is passing a logout to the API and on a "successful"...
Read more >Asp.Net OpenID Logout Issues - OAuth/OIDC
Hello, I'm trying to implement logout in my Asp.Net application. My code is based on quick start from here: ...
Read more >Adding User Authentication with OpenID Connect
The very last step is to add sign-out to the MVC client. With an authentication service like IdentityServer, it is not enough to...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@deastr The sign-out standard was still being developed when Katana released.
You primarily need to clear auth cookies and any Session contents.
@selfissued it is not possible to verify the user because no cookie get sent (on different domains then the OP) which allows to identify the user, login out regardless of the sid is a great possibility for a Denial of Service.
@brentschmaltz the feedback i’m looking is a possibility to log the user securely logout. But this seems not possible with OpenId Connect Front Channel Logout.
Sorry, i’m on vacation, so this answer took awhile