Owin身份验证单点注销 [英] Owin Authentication Single Sign-Out
问题描述
我有一个用于单点登录的自定义身份验证中间件.我想知道如何实现单一注销解决方案.
I've got a custom Authentication middleware working for single sign-on. I'm wondering how I should go about implementing a single sign-out solution.
我需要调用 Authentication.Signout()
来注销我的应用程序,但是随后我需要将用户重定向到我们的自定义STS的注销端点.我应该在哪里处理?调用
? ApplyResponseGrant
?完全不在处理程序中,而只是手动重定向?
I need to call Authentication.Signout()
to signout of my application, but I then need to redirect the user to the sign out endpoint of our custom STS. Where should I handle this? Invoke
? ApplyResponseGrant
? Not in the handler at all, but just a manual redirect?
修改:这是一个MVC应用程序.除了将本地登出链接到STS登出之外,我一切正常.在这里添加我现有的代码只会混淆我的问题,IMO.如果有一段特定的代码会有所帮助,请告诉我,我将其添加.
edit: This is an MVC app. I have everything working EXCEPT linking the local logout to logging out of the STS. Adding my existing code here would do nothing but obfuscate my question, IMO. If there is a specific piece of code that would help, let me know and I'll add it.
理想情况下,我想要某种事件或标志来告诉我用户正在注销,然后将响应更改为外部注销的302.如果我将此代码放在 ApplyResponseGrant
中,我会感觉到它将阻止CookieAuthentication中间件清除auth cookie.如果我将此代码放入注销"控制器操作中(在调用 Authentication.SignOut()
之后),则将其留给每个应用程序来处理单点注销.
Ideally, I'd like some sort of event or flag that tells me the user is signing out, and then change the response into a 302 to the external logout. If I put this code in the ApplyResponseGrant
, I have a feeling it will prevent the CookieAuthentication middleware from clearing the auth cookie. If I put this code in the Logout controller action (after a call to Authentication.SignOut()
), then I leave it up to each application to handle the single sign off.
推荐答案
我知道了.这就是我所做的.
I got it working. Here's what I did.
在我的 AccountController
中,我添加了 Logout
操作,该操作返回 Redirect("/signout-custom")
.
In my AccountController
, I added a Logout
action that returns a Redirect("/signout-custom")
.
在我的OWIN处理程序中,我在 Invoke
方法中监视该URL,调用远程注销端点,本地注销方法,并停止OWIN处理.
In my OWIN handler, I watch for that URL in the Invoke
method, call my remote sign out endpoint, the local sign out method, and stop OWIN processing.
public override async Task<bool> InvokeAsync() {
//other code
if (Request.Path == Options.LogoutCallbackPath) {
Context.Authentication.SignOut(Options.AuthenticationType);
Response.Redirect(WebUtilities.AddQueryString(Options.ClauthLogoutUri, "returnUrl", "http://localhost:62506/Home/About"));
return true;
}
//other code
}
重定向不会中断OWIN流,因此 CookieAuthentication
中间件仍会运行并按原样清除本地身份验证cookie.
The redirect does not interrupt the OWIN flow, so the CookieAuthentication
middleware still runs and clears the local auth cookie as it should.
这篇关于Owin身份验证单点注销的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!