I already went through the links here , here and here , which are related to the problem that I have.
I have a Silverlight application using IdentiServer3 for authentication, and I only started this problem when I implemented the logout functions. Note that the problem has nothing to do with Silverlight, because the login and logout functionality is actually implemented on the server side, which is the classic ASP.Net web form. (.NET 4.5.1)
The application never had a logout function, so the user simply closed the browser so that we never encountered this problem before. We have a logout.aspx page, and the Silverlight application has a link to this page.
Logout.aspx Page
public partial class Logout : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (Request.IsAuthenticated)
{
Session.Clear();
Request.GetOwinContext().Authentication.SignOut();
}
Response.Redirect("/");
}
}
Default.aspx page. This is the start page
public partial class Default : Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (!System.Web.HttpContext.Current.Request.IsAuthenticated)
{
HttpContext.Current.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = "/" }, OpenIdConnectAuthenticationDefaults.AuthenticationType);
}
}
}
OWIN startup class where OpenID connection is configured
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Cookies",
LoginPath = new Microsoft.Owin.PathString("/Default.aspx")
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
Authority = ConfigurationManager.AppSettings["Authority"],
Scope = "openid profile",
ClientId = ConfigurationManager.AppSettings["ClientId"],
RedirectUri = ConfigurationManager.AppSettings["RedirectUri"],
ResponseType = "id_token",
SignInAsAuthenticationType = "Cookies",
Notifications = new OpenIdConnectAuthenticationNotifications
{
SecurityTokenValidated = (context) =>
{
var id = context.AuthenticationTicket.Identity;
var newIdentity = new ClaimsIdentity(id.AuthenticationType);
var sub = id.FindFirst(ClaimTypes.NameIdentifier);
var username = id.FindFirst("preferred_username");
newIdentity.AddClaim(username);
newIdentity.AddClaim(sub);
newIdentity.AddClaim(new Claim("id_token", context.ProtocolMessage.IdToken));
context.AuthenticationTicket = new AuthenticationTicket(
newIdentity,
context.AuthenticationTicket.Properties);
return Task.FromResult(0);
},
RedirectToIdentityProvider = (context) =>
{
if (context.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
{
var idTokenHint = context.OwinContext.Authentication.User.FindFirst("id_token").Value;
context.ProtocolMessage.IdTokenHint = idTokenHint;
}
return Task.FromResult(0);
},
}
Steps to reproduce the problem:
Fiddler identityServer - default.aspx. roundtrip OpenIdConnect.nonce.OpenIdConnect cookie, - .
, , Microsoft.Owin.Security.OpenIdConnect 3.0.0 .
. , OpenIdConnect.nonce.OpenIdConnect cookie . Fiddler cookie . HttpContext.Current.Request.IsAuthenticated . .