Identity Server 4 GetSchemeSupportsSignOutAsync返回错误的响应 [英] Identity Server 4 GetSchemeSupportsSignOutAsync returns incorrect response
问题描述
我已经使用dotnet核心中的AddOpenIdConnect扩展方法设置了一个开放ID连接提供程序(在这种情况下为Google).在发现文档中:
I've setup an open id connect provider, Google in this case, using the AddOpenIdConnect extension method in dotnet core. From the discovery document:
https://accounts.google.com/.well-known/openid-configuration
由于没有end_session端点,因此Google似乎不支持联合注销.但是,在Identity Server 4中,调用:
it does not seem that google supports federated sign-out because there is no end_session endpoint. However, in Identity Server 4, the call:
var providerSupportsSignout = await HttpContext.GetSchemeSupportsSignOutAsync(idp);
返回true.因此,在注销过程中,它尝试使用以下方法登出google:
returns true. So during Logout it tries to sign out of google using:
return SignOut(new AuthenticationProperties { RedirectUri = url }, vm.ExternalAuthenticationScheme);
会引发异常:
InvalidOperationException: Cannot redirect to the end session endpoint, the configuration may be missing or invalid.
这是Identity Server 4中的错误还是在设置Oidc提供程序时需要设置配置属性,以便此扩展方法能够识别该提供程序不支持注销?
Is this a bug in Identity Server 4 or is there a configuration property that needs to be set when setting up the Oidc provider so that this extension method will pickup that the provider does not support signout?
推荐答案
Doesn't appear to be a bug in Identity Server 4. The code behind this extension calls out to get the underlying authentication scheme handler.
public static async Task<bool> GetSchemeSupportsSignOutAsync(this HttpContext context, string scheme)
{
var provider = context.RequestServices.GetRequiredService<IAuthenticationHandlerProvider>();
var handler = await provider.GetHandlerAsync(context, scheme);
return (handler != null && handler is IAuthenticationSignOutHandler);
}
在这种情况下,您的处理程序将是OpenIdConnectHandler,它似乎实现了IAuthenticationSignOutHandler,这就是为什么无论发现文档中有什么内容(是否支持结束会话端点),如果您使用AddOpenIdConnect(...),总是会注册一个看似支持注销的处理程序,但是正如您所指出的,实际上并没有为这种功能支持实施实际的idp验证(
In this case, your handler will be OpenIdConnectHandler which appears to implement IAuthenticationSignOutHandler so that's why regardless of what is in the discovery document (end session endpoint supported or not), if you use the AddOpenIdConnect(...), it will always register a handler which seemingly supports sign out, but as you have pointed out, does not actually enforce the actual idp validation for that kind of functionality support (link to handler source).
And lastly, worthwhile to mention, that Identity Server 4 check is rightful here as according to Microsoft docs, the IAuthenticationSignOutHandler is indeed basically a marker interface used to determine if a handler supports SignOut.
所以我想您只是不能使用通用的AddOpenIdConnect(...),相反,您应该使用未实现IAuthenticationSignOutHandler的AddGoogle(...),因此可以与Identity Server 4(
So I guess you just simply can't use the generic AddOpenIdConnect(...), instead perhaps you should use AddGoogle(...) which does not implement IAuthenticationSignOutHandler so will work as expected with Identity Server 4 (link to source).
这篇关于Identity Server 4 GetSchemeSupportsSignOutAsync返回错误的响应的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
