Owin身份验证单点注销 [英] Owin Authentication Single Sign-Out

问题描述

我有一个用于单点登录的自定义身份验证中间件.我想知道如何实现单一注销解决方案.

I've got a custom Authentication middleware working for single sign-on. I'm wondering how I should go about implementing a single sign-out solution.

我需要调用 Authentication.Signout()来注销我的应用程序，但是随后我需要将用户重定向到我们的自定义STS的注销端点.我应该在哪里处理?调用? ApplyResponseGrant ?完全不在处理程序中，而只是手动重定向?

I need to call Authentication.Signout() to signout of my application, but I then need to redirect the user to the sign out endpoint of our custom STS. Where should I handle this? Invoke? ApplyResponseGrant? Not in the handler at all, but just a manual redirect?

修改:这是一个MVC应用程序.除了将本地登出链接到STS登出之外，我一切正常.在这里添加我现有的代码只会混淆我的问题，IMO.如果有一段特定的代码会有所帮助，请告诉我，我将其添加.

edit: This is an MVC app. I have everything working EXCEPT linking the local logout to logging out of the STS. Adding my existing code here would do nothing but obfuscate my question, IMO. If there is a specific piece of code that would help, let me know and I'll add it.

理想情况下，我想要某种事件或标志来告诉我用户正在注销，然后将响应更改为外部注销的302.如果我将此代码放在 ApplyResponseGrant 中，我会感觉到它将阻止CookieAuthentication中间件清除auth cookie.如果我将此代码放入注销"控制器操作中(在调用 Authentication.SignOut()之后)，则将其留给每个应用程序来处理单点注销.

Ideally, I'd like some sort of event or flag that tells me the user is signing out, and then change the response into a 302 to the external logout. If I put this code in the ApplyResponseGrant, I have a feeling it will prevent the CookieAuthentication middleware from clearing the auth cookie. If I put this code in the Logout controller action (after a call to Authentication.SignOut()), then I leave it up to each application to handle the single sign off.

推荐答案

我知道了.这就是我所做的.

I got it working. Here's what I did.

在我的 AccountController 中，我添加了 Logout 操作，该操作返回 Redirect("/signout-custom").

In my AccountController, I added a Logout action that returns a Redirect("/signout-custom").

在我的OWIN处理程序中，我在 Invoke 方法中监视该URL，调用远程注销端点，本地注销方法，并停止OWIN处理.

In my OWIN handler, I watch for that URL in the Invoke method, call my remote sign out endpoint, the local sign out method, and stop OWIN processing.

public override async Task<bool> InvokeAsync() {
    //other code

    if (Request.Path == Options.LogoutCallbackPath) {
        Context.Authentication.SignOut(Options.AuthenticationType);
        Response.Redirect(WebUtilities.AddQueryString(Options.ClauthLogoutUri, "returnUrl", "http://localhost:62506/Home/About"));
        return true;
    }

    //other code

}

重定向不会中断OWIN流，因此 CookieAuthentication 中间件仍会运行并按原样清除本地身份验证cookie.

The redirect does not interrupt the OWIN flow, so the CookieAuthentication middleware still runs and clears the local auth cookie as it should.

这篇关于Owin身份验证单点注销的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！