Identityserver4: Identity Provider doesn't support upstream Sign-out

Created on 26 Mar 2020 · 5Comments · Source: IdentityServer/IdentityServer4

Question

Hi there,

For my test purposes, I created an External Identity Provider which does not support _ upstream IdP Sign out_.
Here is the example of their discovery endpoint which is possible to see that is missing the _end_session_endpoint_.
```json{
"issuer": "https://my-domain.auth0.com/",
"authorization_endpoint": "https://my-domain.auth0.com/authorize",
"token_endpoint": "https://my-domain.auth0.com/oauth/token",
"userinfo_endpoint": "https://my-domain.auth0.com/userinfo",
"mfa_challenge_endpoint": "https://my-domain.auth0.com/mfa/challenge",
"jwks_uri": "https://my-domain.auth0.com/.well-known/jwks.json",
"registration_endpoint": "https://my-domain.auth0.com/oidc/register",
"revocation_endpoint": "https://my-domain.auth0.com/oauth/revoke",
"scopes_supported": ["openid", "profile", "offline_access", "name", "given_name", "family_name", "nickname", "email", "email_verified", "picture", "created_at", "identities", "phone", "address"],
"response_types_supported": ["code", "token", "id_token", "code token", "code id_token", "token id_token", "code token id_token"],
"code_challenge_methods_supported": ["S256", "plain"],
"response_modes_supported": ["query", "fragment", "form_post"],
"subject_types_supported": ["public"],
"id_token_signing_alg_values_supported": ["HS256", "RS256"],
"token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post"],
"claims_supported": ["aud", "auth_time", "created_at", "email", "email_verified", "exp", "family_name", "given_name", "iat", "identities", "iss", "name", "nickname", "phone_number", "picture", "sub"],
"request_uri_parameter_supported": false,
"device_authorization_endpoint": "https://my-domain.auth0.com/oauth/device/code"
}


For the Sign-out, I'm following the example:
https://identityserver4.readthedocs.io/en/latest/topics/signout_external_providers.html

But in the method `BuildLoggedOutViewModelAsync`, which could be found below, I'm always getting true from `HttpContext.GetSchemeSupportsSignOutAsync(idp);`;
https://github.com/IdentityServer/IdentityServer4.Demo/blob/master/src/IdentityServer4Demo/Quickstart/Account/AccountController.cs#L331

And also, I could see that `User.FindFirst(JwtClaimTypes.IdentityProvider)?.Value;` is returning the `AuthenticationScheme` set up at Startup.cs. 

Finally, when it failing in the previous validation, my sign-out it's trying to call IdP and then I got this error
"Cannot redirect to the end session endpoint, the configuration may be missing or invalid."

Am I missing something? 
As a reference, It's the same issue reported here:

https://stackoverflow.com/questions/56565997/identity-server-4-getschemesupportssignoutasync-returns-incorrect-response


### Minimal working example
This is my code on Startup.cs
```csharp
services
    .AddAuthentication()
    .AddOpenIdConnect(IdentityProviderName,
        IdentityProviderName, options =>
        {
            options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
            options.SignOutScheme = IdentityServerConstants.SignoutScheme;
            options.Authority = IdentityProviderAuthority;
            options.MetadataAddress = IdentityProviderDiscoveryUrl;
            options.ClientId = IdentityProviderClientId;
            options.ClientSecret = IdentityProviderClientSecret;
            options.ResponseType = IdentityProviderResponseType;

            options.TokenValidationParameters = new TokenValidationParameters
            {
                ValidateIssuer = false,
                NameClaimType = "name"
            };

            foreach (var scope in IdentityProviderScopes)
            {
                options.Scope.Add(scope);
            }

            options.CallbackPath =
                new PathString(ServiceProviderCallbackPath);

            options.SaveTokens = true;
            options.Events = new OpenIdConnectEvents
            {
                OnRedirectToIdentityProvider = context =>
                {
                    if (context.Properties.Items.TryGetValue("username", out var username))
                    {
                        context.ProtocolMessage.LoginHint = username;
                    }

                    if (context.Properties.Items.TryGetValue("domainHint", out var domainHint))
                    {
                        context.ProtocolMessage.DomainHint = domainHint;
                    }

                    return Task.CompletedTask;
                }
            };
        });

Versions

.net core: 3.1.101
IdentityServer4: 3.1.1

Thank you so much.

question wontfix

Source

viniciustotti

Most helpful comment

But in the method BuildLoggedOutViewModelAsync, which could be found below, I'm always getting true from HttpContext.GetSchemeSupportsSignOutAsync(idp);;

It returns true because the protocol support signout, but it wouldn't know if the specific provider doesn't. I'd suggest to change that code to exclude your idp scheme.

brockallen on 26 Mar 2020

👍2

All 5 comments

But in the method BuildLoggedOutViewModelAsync, which could be found below, I'm always getting true from HttpContext.GetSchemeSupportsSignOutAsync(idp);;

It returns true because the protocol support signout, but it wouldn't know if the specific provider doesn't. I'd suggest to change that code to exclude your idp scheme.

brockallen on 26 Mar 2020

👍2

Hi @brockallen,
It does make sense for me now.
I will change the code to validate it.

Thank you for your quick response.

viniciustotti on 26 Mar 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Questions are community supported only and the authors/maintainers may or may not have time to reply. If you or your company would like commercial support, please see here for more information.