IdentityServer4注销 [英] IdentityServer4 logout

问题描述

我遇到一个问题，我似乎无法让我的Identity Server注销先显示确认。我从github下载了IdentityServer4的源代码，并在Models文件夹中找到了该参数：LogoutRequest.cs，ShowSignOutPrompt。除了在注销过程中进行检查之外，IdentityServer中没有对它的引用。

I am having an issue where I cannot seem to get my Identity Server logout to show the confirmation first. I downloaded the source code for IdentityServer4 from github and found the parameter in the Models folder: LogoutRequest.cs, ShowSignOutPrompt. There are no references to it in IdentityServer except to check it during the logout.

在调试中，我看到它是错误的。我不知道应该在哪里设置它，我已经检查了服务器端和客户端的客户端配置选项以及服务器启动时的选项。

In debugging, I see that it is false. I don't know where this is supposed to get set, I've checked the options for the client config on both the server and client side, as well as the options on server startup.

我在客户端代码中找不到 ShowSignoutPrompt的实例（我目前正在使用IdentityServer3 Owin Hybrid客户端示例）。

I can find no instances of "ShowSignoutPrompt" in the client code (I'm using the IdentityServer3 Owin Hybrid client sample currently).

这是代码流：
我们在默认布局中有一个按钮，它会触发客户端的AccountController.Signout（）：

Here's the code flow: We have a button in our default layout which triggers the client's AccountController.Signout():

public void Signout()
{
    Request.GetOwinContext().Authentication.SignOut();
}

从那里，我不确定如何，但是接下来要说的是点击数是IdentityServer的AccountController.Logout（string logoutId）。该方法将构建注销提示视图（使用AccountServices.BuildLogoutViewModelAsync中的检查），并将其返回给用户的浏览器。不将ShowSignoutPrompt设置为false的正确工作的唯一方法是，如果PostLogoutRedirectUri设置为 / signout-callback-oidc。我不知道为什么。

From there, I'm not exactly sure how, but the next point it hits is IdentityServer's AccountController.Logout(string logoutId). That method builds the logout prompt view (using checks in AccountServices.BuildLogoutViewModelAsync) and returns it to the user's browser. The only way it works properly to not set the ShowSignoutPrompt to false is if PostLogoutRedirectUri is set to "/signout-callback-oidc". I don't know why.

当用户在上面生成的视图上单击是时，它将转到IdSrvr的AccountController.Logout（LogoutInputModel模型）。我正在尝试从以下方法更改该方法的最后一行：

When the user clicks "yes" on the view generated above, it goes to IdSrvr's AccountController.Logout(LogoutInputModel model). I am trying to change the last line of that method from:

return View("LoggedOut", vm);

至：

return Redirect(vm.PostLogoutRedirectUri);

这里还有另一个问题，就是即使我在客户端配置上将PostRedirectUri设置为null （嗯，为此，Identity Server的客户端配置也有它。）

There's another problem here in that the PostRedirectUri is null here, even though I set it on the client config (well, for that matter, Identity Server's client config also has it).

推荐答案

没有客户端属性可以控制它。

There is no client attribute to control this.

注销客户端应用程序时，调用IdentityServer4 结束会话端点。

When logging out the client application calls the IdentityServer4 End Session Endpoint.

当客户端发送原始id_token时，可以跳过退出提示。
这是作为id_token_hint参数传递的。

The signout prompt can be bypassed when a client sends the original id_token. This is passed in as the id_token_hint parameter.

此外，它指示是否已验证注销请求，因此可以安全地进行没有提示用户退出。
每位裁判

In addition, it indicates if the request for the sign-out has been authenticated, and therefore it's safe to no prompt the user for sign-out. per ref

ShowSignoutPrompt 指示是否应根据传递给结束会话端点的参数提示用户注销。
来源 PDF

ShowSignoutPrompt Indicates if the user should be prompted for signout based upon the parameters passed to the end session endpoint. Source PDF

注意：
如果您使用的是JavaScript OIDC-Client-JS 库， signoutRedirect方法将在内部进行检查，请参见 _ signoutStart方法第354行，用于id_token_hint参数或用户id_token。因此，如果您使用此库注销用户并要强制退出屏幕，则必须清除user.id_token。

NOTE: If you are using the JavaScript OIDC-Client-JS library, the 'signoutRedirect' method will internally check, see _signoutStart method line 354, for the id_token_hint argument or the users id_token. So if you are using this library to log a user off and want to force the logout screen you will have to clear the user.id_token.

_signoutStart（）中的示例部分

Sample section from _signoutStart()

_signoutStart(args = {}, navigator, navigatorParams = {}) {
    ...
    var id_token = args.id_token_hint || user && user.id_token;
    if (id_token) {
        Log.debug("Setting id_token into signout request");
        args.id_token_hint = id_token;
    }
    ...
}

更新：

如果您使用的是IdentityServer4版本2.x，则可以使用新的类 ClientProperty 来存储键值对。在这里，您可以创建键 LogoffPromptRequired和值 true，以在客户端或IdentityServer实现中使用，以确定是否需要注销屏幕。

If you are using IdentityServer4 version 2.x you can use the new class ClientProperty to store key-value pairs. In here you could create a key of "LogoffPromptRequired" and a value of "true" to be used in the client or IdentityServer implementation to determine if the Logg off screen is required.

这篇关于IdentityServer4注销的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！