0

这里我想实现SSO功能。如果我从身份服务器注销,所有使用该用户 ID 连接到该服务器的客户端都应该被注销。但它对我有用。

我正在使用身份服务器版本 =“4.0.0”

我已经设置了 IDS 客户端、用于注销的 UI 模板、MVC 客户端,如下所示。但这并不是所有客户的退出。

new Client
    {
        ClientId = "testmvc",

        AllowedGrantTypes = GrantTypes.Code,
        
       
        // secret for authentication
        ClientSecrets =
        {
            new Secret("Secret".Sha256())
        },

        AllowOfflineAccess = true,

        // scopes that client has access to
        AllowedScopes = new List<string>
        {
            IdentityServerConstants.StandardScopes.OpenId,
            IdentityServerConstants.StandardScopes.Profile,
            IdentityServerConstants.StandardScopes.Address,
            "roles"
        },

        // where to redirect to after login
        RedirectUris = { "https://localhost:5002/signin-oidc" },
        
        

        // where to redirect to after logout
        PostLogoutRedirectUris = { "https://localhost:5002/signout-callback-oidc" },
        

        FrontChannelLogoutUri  = "https://localhost:5002/home/frontchannellogout" ,
        
    }

在 MVC 客户端中,我创建了两个注销

//UI Logout
public async Task<IActionResult> Logout()
        {

            var client = _httpClientFactory.CreateClient("IDPClient");

            var discoveryDocumentResponse = await client.GetDiscoveryDocumentAsync();
            if (discoveryDocumentResponse.IsError)
            {
                throw new Exception(discoveryDocumentResponse.Error);
            }

            var accessTokenRevocationResponse = await client.RevokeTokenAsync(
                new TokenRevocationRequest
                {
                    Address = discoveryDocumentResponse.RevocationEndpoint,
                    ClientId = "testmvc",
                    ClientSecret = "Secret",
                    Token = await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.AccessToken)
                });

            if (accessTokenRevocationResponse.IsError)
            {
                throw new Exception(accessTokenRevocationResponse.Error);
            }
            
            await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
            await HttpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme);
            
            return Redirect(discoveryDocumentResponse.EndSessionEndpoint);
        }

//Front channel logout
            public async Task<IActionResult> FrontChannelLogout(string sid)
            {
                if (User.Identity.IsAuthenticated)
                {
                    var currentSid = User.FindFirst("sid")?.Value ?? "";
                    if (string.Equals(currentSid, sid, StringComparison.Ordinal))
                    {
                        await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
                    }
    
                }
    
                return NoContent();
            }
4

1 回答 1

0

在该Logout方法中,您从两个身份验证方案(Cookie 和 OIDC)中退出,而在FrontChannelLogout您似乎只从 Cookie 方案中退出。这不是问题吗?

无论哪种方式,请尝试定义如下方法,并检查是否调用了相应的 OIDC 注销端点。

public async Task Logout()
{
    // ...
    await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
    await HttpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme);
}

public async Task FrontChannelLogout(string sid)
{
    if (User.Identity.IsAuthenticated)
    {
        //...
            await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
            await HttpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme);
    }
}
于 2021-02-18T20:46:31.680 回答