Windowsserverdocs: Redirect to RP after logout

Created on 10 May 2018  路  3Comments  路  Source: MicrosoftDocs/windowsserverdocs

I have a question about performing a logout from the app and ADFS and returning the user back to the application (RP).

Description

I've setup Windows Server 2016 with ADFS 4.0 and enabled OpenID Connect authentication for users in the local AD.

The authentication (login) using OpenId Connect works (the authorization code flow as well as implicit flow) works. Sign-out (logout) works as well. The problem is that after the signout, the user is left on the ADFS signout page and not redirected back to the RP, even though the RP provides the URL in the post_logout_redirect_uri variable. An example a URL is this:

https://win-910etfa6g5q.mydomain.local/adfs/oauth2/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A58196%2Fsignout-callback-oidc&state=state-here&x-client-SKU=ID_NET&x-client-ver=2.1.4.0

I am referring to the documentation in this repo: https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-fs/development/ad-fs-logout-openid-connect.md

Expected outcome

The browser should be redirected to the post_logout_redirect_uri after logout on the ADFS

Actual outcome

The browser stays on the signout page on the ADFS (https://win-910etfa6g5q.mydomain.local/adfs/oauth2/logout?etc...)

Integration details

I'm using ASP.NET Core MVC application with Microsoft.AspNetCore.Authentication.OpenIdConnect package to integrate with it. I tried both the Implicit flow and Authorization code flow.

I figured that the logout url should be set for this application and couldn't find it in the UI, so I've set it using PowerShell: Get-AdfsServerApplication | Set-AdfsServerApplication -LogoutUri http://localhost:58196/signout-callback-oidc and verified with Get-AdfsServerApplication:

ADUserPrincipalName                  :
ClientSecret                         : ********
JWTSigningCertificateRevocationCheck : None
JWTSigningKeys                       : {}
JWKSUri                              :
Name                                 : TestAppGroup - Server application
Identifier                           : 1e0ae584-52d9-45e3-a3d9-b3216a0a26bc
ApplicationGroupIdentifier           : TestAppGroup
Description                          :
Enabled                              : True
RedirectUri                          : {http://localhost:58196/signin-oidc}
LogoutUri                            : http://localhost:58196/signout-callback-oidc

The ADFS is still not redirecting to the specified logout URI and I'm wondering if I understood the documentation incorrectly. Perhaps the documentation is referring to the fact that ADFS is supposed to "call" all applications that the user signed into on the following URLs? But that is not happening either.

I am performing tests from a dev machine (localhost) and connecting to ADFS win-910etfa6g5q.mydomain.local (different machine). I am using self-signed certificates, FWIW.

identity

Most helpful comment

Just found out that the error is misleading. There is no issue with the logout URI property, but rather that the id_token_hint is missing from the logout request.

In order to implement this, one has to store the id_token issued, so it can be provided to the logout endpoint. I found out that if you're using ASP.NET OpenIdConnect package to implement the flows, you can set the SaveTokens option to true, and the library will persist the id_token as part of the claims which are sent to the client (the cookie holding the claims just got bigger :().

I'm not entirely sure why the id_token_hint is a MUST (since it is "only" RECOMMENDED in the spec).

I believe the error message in the event log should reflect the actual reason for redirect rejection.

Any thoughts?

All 3 comments

Additionally, I found this error in event log:

The specified redirect URL did not match any of the OAuth client's redirect URIs. The logout was successful but the client will not be redirected. 

URL: http://localhost:58196/signout-callback-oidc

even though the "Server application" is configured with this URL:
screen shot 2018-05-10 at 22 19 37

I've added this URL to the redirect urls as well:

> Get-AdfsServerApplication 
[snip]
RedirectUri                          : {http://localhost:58196/signin-oidc,
                                       http://localhost:58196/signout-callback-oidc}
LogoutUri                            : http://localhost:58196/signout-callback-oidc

Just found out that the error is misleading. There is no issue with the logout URI property, but rather that the id_token_hint is missing from the logout request.

In order to implement this, one has to store the id_token issued, so it can be provided to the logout endpoint. I found out that if you're using ASP.NET OpenIdConnect package to implement the flows, you can set the SaveTokens option to true, and the library will persist the id_token as part of the claims which are sent to the client (the cookie holding the claims just got bigger :().

I'm not entirely sure why the id_token_hint is a MUST (since it is "only" RECOMMENDED in the spec).

I believe the error message in the event log should reflect the actual reason for redirect rejection.

Any thoughts?

Closing due to inactivity. Please reopen to pursue further. Thanks!

Was this page helpful?
0 / 5 - 0 ratings

Related issues

wilsonnkwan picture wilsonnkwan  路  4Comments

aurelien-git picture aurelien-git  路  3Comments

jdrch picture jdrch  路  3Comments

bryhall picture bryhall  路  3Comments

osresearch picture osresearch  路  5Comments