Comments (4)
KevinOrtman
commented on August 16, 2024
1
Thank you much for that comment - that had me stumped!
from active-directory-b2c-dotnetcore-webapp.
alobakov
commented on August 16, 2024
Just spent the entire day troubleshooting and debugging this issue.
It boils down to the fact that when SignedOutCallbackPath is left unassigned and uses its default value, the OIDC middleware has no criteria to select the right policy when processing a sign-out callback, and simply picks the first declared one.
As a result, when any policy other than the first declared one is being signed out of, the following method fails to re-hydrate the properties previously sent to (and echoed by) the identity provider in the encrypted "state" parameter, which contains the ultimate PostLogoutRedirectUri.
OpenIdConnectHandler.cs (v1.1.0) :
protected virtual Task<bool> HandleSignOutCallbackAsync()
{
StringValues protectedState;
if (Request.Query.TryGetValue(OpenIdConnectParameterNames.State, out protectedState))
{
var properties = Options.StateDataFormat.Unprotect(protectedState);
if (!string.IsNullOrEmpty(properties?.RedirectUri))
{
Response.Redirect(properties.RedirectUri);
return Task.FromResult(true);
}
}
return Task.FromResult(true);
}The reason for the failure is that Options.StateDataFormat.Unprotect() internally uses its own KeyRingBasedDataProtector which is policy-specific, resulting in the following exception being thrown by the latter:
The payload was invalid.
Obviously, it cannot decrypt data previously encrypted by another protector which most certainly used a different encryption key.
Notably, the exception is then silently suppressed in SecureDataFormat.cs for security reasons:
public TData Unprotect(string protectedText, string purpose)
{
try
{
if (protectedText == null)
{
return default(TData);
}
var protectedData = Base64UrlTextEncoder.Decode(protectedText);
if (protectedData == null)
{
return default(TData);
}
var protector = _protector;
if (!string.IsNullOrEmpty(purpose))
{
protector = protector.CreateProtector(purpose);
}
var userData = protector.Unprotect(protectedData);
if (userData == null)
{
return default(TData);
}
return _serializer.Deserialize(userData);
}
catch
{
// TODO trace exception, but do not leak other information
return default(TData);
}
}Therefore, no redirect is sent to the user agent.
So, it seems to work as expected and, as @onovotny pointed out, we just need to give it a hint by specifying distinct per-policy signed-out callback paths.
from active-directory-b2c-dotnetcore-webapp.
nhwilly
commented on August 16, 2024
Man, oh, man. Thank you. Where do I send the beer? This was making me nuts.
from active-directory-b2c-dotnetcore-webapp.
gsacavdm
commented on August 16, 2024
I don't believe this is applicable anymore with the updated 1.1 sample. I'll close the issue. Let me know if this is still and issue and we can reopen/revisit.
from active-directory-b2c-dotnetcore-webapp.
Related Issues (20)
- got secure error when I try to sign in HOT 2
- Not compatible with aspnet core 2.1 HOT 1
- Error from RemoteAuthentication: Message contains error: 'redirect_uri_mismatch', error_description: 'AADB2C90006: The redirect URI 'http://b2.95e4700435c54427a457.northeurope.aksapp.io/signin-oidc' provided in the request is not registered for the client id 'eb201049-e7b1-4227-9a7c-5bb259261d37'. Correlation ID: 8f75359e-009f-44e3-b537-3f85f58cdd9c HOT 6
- User.Identity.Name is null and HttpContext.User.Claims is empty HOT 6
- ERROR Account username: Missing from the token response environment login.microsoftonline.com home account id: AccountId: XXXX HOT 8
- Single-Sign Out AD B2C HOT 2
- NullReferenceException in MSALSessionCache constructor HOT 1
- acquireTokenSilent sometimes returns a null accesstoken HOT 1
- Error messages in OnRemoteFailure should be url encoded before appending to query string HOT 3
- Latest version of AAD B2C? HOT 2
- Update the repository to not use Bower HOT 3
- Update the repository to use the latest MSAL version HOT 2
- b2clogin.com for ASP.NET Core HOT 7
- No accounts being returned on cca.GetAccountsAsync()
- Words 'simple' and 'dead simple' should be removed from content. HOT 1
- Unit testing for SessionController HOT 1
- Compatibility with .NET Core 3.1 HOT 2
- How do I diagnose errors? HOT 1
- How to pass domain_hint while calling B2C for login HOT 1
- How to select a policy at runtime?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from active-directory-b2c-dotnetcore-webapp.