November Happy Hour will be moved to Thursday December 5th.

Infinite redirects loop on logout with OpenIdConnect/Auth0

Vote:
 

In our project we are using OpenIdConnect to integrate with Auth0 for federated login, and got stuck on the logout part.

We are running with EPiServer 11.3.3 and using IIS.

We've based our code upon this docs:

https://world.episerver.com/documentation/developer-guides/CMS/security/integrate-azure-ad-using-openid-connect/

The code looks as follows for the configuration in startup.cs:

public void Configuration(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = aadInstance,
Scope = "openid serialNumber AuthenticationMethod",
ResponseType = OpenIdConnectResponseTypes.IdToken,
PostLogoutRedirectUri = postLogoutRedirectUri,
RedirectUri = ConfigurationManager.AppSettings["DomainUrl"]

TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
RoleClaimType = ClaimTypes.Role
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = context =>
{
context.HandleResponse();
context.Response.Write(context.Exception.Message);
return Task.FromResult(0);
},
RedirectToIdentityProvider = context =>
{
// To avoid a redirect loop to the federation server send 403
// when user is authenticated but does not have access
if (context.OwinContext.Response.StatusCode == 401 &&
context.OwinContext.Authentication.User.Identity.IsAuthenticated)
{
context.OwinContext.Response.StatusCode = 403;
context.HandleResponse();
}
return Task.FromResult(0);
},
SecurityTokenValidated = (ctx) =>
{
var redirectUri = new Uri(ctx.AuthenticationTicket.Properties.RedirectUri, UriKind.RelativeOrAbsolute);
if (redirectUri.IsAbsoluteUri)
{
ctx.AuthenticationTicket.Properties.RedirectUri = redirectUri.PathAndQuery;
}
ctx.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Name, "MyTestUser"));
ctx.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Role, "CmsEditors"));
ctx.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Role, "CmsAdmins"));
ctx.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Role, "WebEditors"));
ctx.AuthenticationTicket.Identity.AddClaim(new Claim(ClaimTypes.Role, "WebAdmins"));

//Sync user and the roles to EPiServer in the background
ServiceLocator.Current.GetInstance().
SynchronizeAsync(ctx.AuthenticationTicket.Identity);
return Task.FromResult(0);
}
}
});
app.UseStageMarker(PipelineStage.Authenticate);
app.Map(LogoutPath, map =>
{
map.Run(ctx =>
{
ctx.Authentication.SignOut();
return Task.FromResult(0);
});
});
}

Which would be pretty much the same as the default code, when we link to the LogoutPath we got the error "ERR_TOO_MANY_REDIRECTS" in the browser, and the url looks like this:

http://localhost:44444/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A44444&x-client-SKU=ID_NET451&x-client-ver=5.2.1.0

The error may not be EPiServer related, but at the same time I can not rule it out either. Any advice what I'm missing here?

//J

#193578
May 31, 2018 16:57
Vote:
 

If you debug while logging out, can you see if a logout request is sent to Auth0 at all?

What cookies exist when logging out?

#193689
Edited, Jun 04, 2018 4:47
Vote:
 

The breakpoints never get hit when I try to debug after logout, though the cookies are removed, all of them, and if I go to a page that requires authentication I'm getting redirected to the loginpage again which is correct, so I do actually gets logged out, but the issue remains that I'm getting stuck in the redirect loop. That leaves me with the PostLogoutRedirectUri property, which I've just set to the startpage(http://localhost:44444), which should only redirect me to the startpage, am still confused what is causing the loop.

#193792
Jun 05, 2018 11:06
Vote:
 

You should do something like this in the app.Map(LogoutPath):

map.Run(ctx =>
{
	ctx.Authentication.SignOut();

	var response = HttpContext.Current.Response;
	response.Redirect(string.Format("https://yo-accnt.eu.auth0.com/v2/logout?returnTo={0}", SiteDefinition.Current.SiteUrl));

	return Task.FromResult(0);
});
#193979
Jun 09, 2018 0:13
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.