These are chat archives for IdentityServer/Thinktecture.IdentityServer3

20th
Feb 2015
Brock Allen
@brockallen
Feb 20 2015 01:46
nope, sorry @Wbmstrmjb
James Geall
@jageall
Feb 20 2015 10:04
what is the expected behaviour of endsession if the id_token has expired? I am getting some issues being reported about the identity server having an error. I thought I saw a discussion around this (the closest I can find is #862 ) is the easiest fix to check the id_token expiry ourselves and not send it if it has expired when we logout?
H.İlter AKSENCER
@iltera
Feb 20 2015 12:16
Hi @leastprivilege. I just wanted to confirm something which is a conflict between what @brockallen and the docs say. (Ref: IdentityServer/Thinktecture.IdentityServer3#949)
Please explain what is post_logout_redirect_uri is exactly used for?
Manuel Rauber
@ManuelRauber
Feb 20 2015 12:18
Identity Server shows are “Logout Successful” page after logging out, providing a link. This link will redirect to post_logout_redirect_url
H.İlter AKSENCER
@iltera
Feb 20 2015 12:18
When you added (by default a link is displayed) to the docs, I just got lost :(
That is the problem. @brockallen says "No Redirect!" and idsrv actually DOESN'T redirect regardless of an existing post_logout_redirect_uri. And the docs say otherwise...
The docs claim what you say, @ManuelRauber.
@brockallen doesn't agree :)
Manuel Rauber
@ManuelRauber
Feb 20 2015 12:21
It does not redirect you automatically. But a link should be there :)
henrikniemann
@henrikniemann
Feb 20 2015 12:21
Idserver will only allow redirect when you can produce the original idtoken in the request to logout. That's another story :-)
There is a sample somewhere. Just a second.
H.İlter AKSENCER
@iltera
Feb 20 2015 12:22
You just wrote:
Identity Server shows are “Logout Successful” page after logging out, providing a link. This link will redirect to post_logout_redirect_url
I made the "providing a link" implicit.
That link is there with the existance of a id_token_hint
H.İlter AKSENCER
@iltera
Feb 20 2015 12:23
And I don't need the post_logout_redirect_uri for that!
Manuel Rauber
@ManuelRauber
Feb 20 2015 12:23
Ah yes, I forgot about the id_token_hint :)
H.İlter AKSENCER
@iltera
Feb 20 2015 12:24
I just removed the RedirectToIdentityProvider from my startup configuration and ran idsrv wihout it.
Loc Tan Vo
@loctanvo
Feb 20 2015 12:25
@iltera just to double check: have you configured the client with the post-logout-redirect-uri?
H.İlter AKSENCER
@iltera
Feb 20 2015 12:26
When I logout, I just agree if I want to, and don't have a link on the page to go back to (not to redirect - as in redirect and going back are two seperate things, I think :) )
When there is RedirectToIdentityProvider extension in startup, providing id_token_hint makes a URI to click appear on the logged out page, and removes the additional confirmation of logout.
@loctanvo just a sec
Yes, by RedirectToIdentityProvider what I mean is:
"app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions.... ...some code... Notifications = new OpenIdConnectAuthenticationNotifications { ...... }, RedirectToIdentityProvider = async n =>..."
H.İlter AKSENCER
@iltera
Feb 20 2015 12:31
I am defining post_logout_redirect_uri and id_token_hint in there.
Please have a look at the implementation and the conversations :)
IdentityServer/Thinktecture.IdentityServer3#949
Loc Tan Vo
@loctanvo
Feb 20 2015 12:31
yes, but in your IdServer client, have you specified the log out url there?
H.İlter AKSENCER
@iltera
Feb 20 2015 12:32
Where else I need to specify it?
I specified it where I specified id_token_hint.
Loc Tan Vo
@loctanvo
Feb 20 2015 12:32
yes, but IdServer is validating it in the same manner as the callback url
it has to be defined as a valid post-redirect-url
H.İlter AKSENCER
@iltera
Feb 20 2015 12:33
In the issue, I mentioned about adding that url in the Valid Urls
Have a look at the issue link please
H.İlter AKSENCER
@iltera
Feb 20 2015 12:33
In both ClientPostLogoutRedirectUris and ClientRedirectUris
Yes, the url is in there
and the RedirectUris also
Manuel Rauber
@ManuelRauber
Feb 20 2015 12:34
Do you use EntityFramework for the configuration?
H.İlter AKSENCER
@iltera
Feb 20 2015 12:34
Yes
Is there an issue in the implementation of EF? :S
Manuel Rauber
@ManuelRauber
Feb 20 2015 12:35
Did you define the PostLogoutRedirectUrl after the database has been created?
No, the default EF just imports the config if it is not present in the database
It will not update it later, if any client is defined.
Take a look at the database
H.İlter AKSENCER
@iltera
Feb 20 2015 12:36
I am making all the changes and configuration in the database
And all the changes affecting immediately
I don't believe that's the issue
And I think we are getting away from the real issue here :)
Manuel Rauber
@ManuelRauber
Feb 20 2015 12:37
Yes, just thought that could be a reason, since I had the same problem once :D
H.İlter AKSENCER
@iltera
Feb 20 2015 12:37
I want to autoredirect the user after logout
@ManuelRauber thanks :)
Manuel Rauber
@ManuelRauber
Feb 20 2015 12:37
As mentioned in your issue: IdSrv does not auto redirect
H.İlter AKSENCER
@iltera
Feb 20 2015 12:38

And I don't understand why the updated docs claim this:

post_logout_redirect_uri
A URI that IdentityServer can redirect to after logout (by default a link is displayed). The URI must be in the list of allowed post logout URIs for the client.

Manuel Rauber
@ManuelRauber
Feb 20 2015 12:38
It’s perfectly true: A link is displayed :)
H.İlter AKSENCER
@iltera
Feb 20 2015 12:39
(by default a link is displayed) is the part I got confused. It still shows just a link and does nothing more :)
id_token_hint
The id_token that the client acquired during authentication. This allows bypassing the logout confirmation screen as well as providing a post logout redirect URL
That's what id_token_hint does.
see here: "as well as providing a post logout redirect URL"
Now you see?
Manuel Rauber
@ManuelRauber
Feb 20 2015 12:43
Well, for me still valid here. If you don’t provide ID token, IdSrv shows: “Do you really want to logout” and the user has to click on “Yes”. If you provide id_token_hint the user get’s logged out instantly
and “providing a post logout redirect url” does not mean “redirects to the post logout redirect url”.
H.İlter AKSENCER
@iltera
Feb 20 2015 12:44
Yes, user gets logged out instantly and a url is shown on the screen
after the logout is done
Manuel Rauber
@ManuelRauber
Feb 20 2015 12:44
Maybe the docs should get more clear here
H.İlter AKSENCER
@iltera
Feb 20 2015 12:45
I know, I am not expecting a redirection automatically when only setting the id_token_hint
Do you have a url on the loggedout screen after the logout?
Without providing post_logout_redirect_uri, I mean.
Loc Tan Vo
@loctanvo
Feb 20 2015 12:46
no
Manuel Rauber
@ManuelRauber
Feb 20 2015 12:46
you need it configured on both sides to get it working.
H.İlter AKSENCER
@iltera
Feb 20 2015 12:46
Do you have a url in PostLogoutRedirectUris?
Manuel Rauber
@ManuelRauber
Feb 20 2015 12:47
Yes, as said: It is configured on both sides, client and idserver
H.İlter AKSENCER
@iltera
Feb 20 2015 12:48
That's odd... When I set id_token_hint, I bypass the confirmation and see a url on the screen.
That's when I don't add post_logout_redirect_uri property in OpenIdConnectAuthenticationOptions.
Manuel Rauber
@ManuelRauber
Feb 20 2015 12:51
Okay, this behavior is reproducable with the provided sample MVC Hybrid app
H.İlter AKSENCER
@iltera
Feb 20 2015 12:52
Checking on that right now...
Manuel Rauber
@ManuelRauber
Feb 20 2015 12:52
The link shows up with or without configuring the PostLogoutRedirectUrl in OpenIdConnectAuthOptions. But will not show up, if the wrong url is provided (which is good).
H.İlter AKSENCER
@iltera
Feb 20 2015 12:53
Yes, we agree on that
Manuel Rauber
@ManuelRauber
Feb 20 2015 12:53
I don’t know the spec and if this is the correct behavior. You may open an issue so lesatprivilege can take a look.
Maybe it’s different when there is more than one post logout redirect url configured. That would make sense.
Hmm no, when using more than one and you don’t provide it on client side, it will use the first configured redirect url. Seems a bit weird for me. But as said: I don’t know the spec here, but leastprivilege will :)
H.İlter AKSENCER
@iltera
Feb 20 2015 12:57
Ok, will do that.
As for now, we can get the bypass and the url with a id_token_hint. And still not sure about the "post_logout_redirect_uri" :)
Thanks for your time, it's been quite an argument :)
Manuel Rauber
@ManuelRauber
Feb 20 2015 12:58
Yes, I’m sorry. I’ve used it configured correctly and haven’t expected such a behavior. :)
H.İlter AKSENCER
@iltera
Feb 20 2015 12:58
Yes, you're right. I also realized that as having multiple PostLogoutRedirectUrl s configured in the db :)
Thanks ;)
H.İlter AKSENCER
@iltera
Feb 20 2015 13:15
opened the issue #956
Richard Forrest
@feanz
Feb 20 2015 22:49
Hi I've setup the identity manager and it works fine locally but when I deploy to azure I get an error has occurred message.
Does the manager support logging like server so I can diagnose the issue
mryandot
@mryandot
Feb 20 2015 23:01
The latest beta does, at least:
LogProvider.SetCurrentLogProvider(new DiagnosticsTraceLogProvider());
Richard Forrest
@feanz
Feb 20 2015 23:07
I have that set for identity server v3 but it does not seem to log any manager issues. I'll try and update.
mryandot
@mryandot
Feb 20 2015 23:13
IdentityServer and IdentityManager are separate; you need to do it for each. If you want to be explicit, for both you'd need:
Thinktecture.IdentityManager.Core.Logging.LogProvider.SetCurrentLogProvider(new Thinktecture.IdentityManager.Logging.DiagnosticsTraceLogProvider());
Thinktecture.IdentityServer.Core.Logging.LogProvider.SetCurrentLogProvider(new Thinktecture.IdentityServer.Core.Logging.DiagnosticsTraceLogProvider());
You also need to make sure you configure the appropriate listeners in web.config.
mryandot
@mryandot
Feb 20 2015 23:21
That said, I haven't done much with IdentityManager, so I have no idea how much logging is actually done, I just know the infrastructure is there.
Brock Allen
@brockallen
Feb 20 2015 23:27
IdMgr logging is weak right now. i need to work on beefing it up
but also, check the security mode -- we don;'t allow remote connection by default
check the security mode
the wiki has some info
Richard Forrest
@feanz
Feb 20 2015 23:28
Arrh cool it's probably that
I'll pop the logging update in two.