From 92122c11b07b2eddada7c3b80523eff6fcdd83f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Chalet?= Date: Sun, 14 Aug 2016 13:31:24 +0200 Subject: [PATCH] Remove the built-in logout handling feature --- .../OpenIddictProvider.Session.cs | 57 ------------------- 1 file changed, 57 deletions(-) diff --git a/src/OpenIddict.Core/Infrastructure/OpenIddictProvider.Session.cs b/src/OpenIddict.Core/Infrastructure/OpenIddictProvider.Session.cs index eb1fd715..df028ab4 100644 --- a/src/OpenIddict.Core/Infrastructure/OpenIddictProvider.Session.cs +++ b/src/OpenIddict.Core/Infrastructure/OpenIddictProvider.Session.cs @@ -6,13 +6,10 @@ using System; using System.IO; -using System.Linq; -using System.Security.Claims; using System.Threading.Tasks; using AspNet.Security.OpenIdConnect.Extensions; using AspNet.Security.OpenIdConnect.Server; using JetBrains.Annotations; -using Microsoft.AspNetCore.Builder; using Microsoft.AspNetCore.Diagnostics; using Microsoft.AspNetCore.WebUtilities; using Microsoft.Extensions.Caching.Distributed; @@ -91,60 +88,6 @@ namespace OpenIddict.Infrastructure { public override async Task HandleLogoutRequest([NotNull] HandleLogoutRequestContext context) { var services = context.HttpContext.RequestServices.GetRequiredService>(); - // Only validate the id_token_hint if the user is still logged in. - // If the authentication cookie doesn't exist or is no longer valid, - // the user agent is immediately redirected to the client application. - if (!context.HttpContext.User.Identities.Any(identity => identity.IsAuthenticated)) { - services.Logger.LogDebug("The logout request was silently processed without requiring user confirmation " + - "because the user was not authenticated or his session was no longer valid."); - - // Redirect the user agent back to the client application. - await context.HttpContext.Authentication.SignOutAsync(context.Options.AuthenticationScheme); - - // Mark the response as handled - // to skip the rest of the pipeline. - context.HandleResponse(); - - return; - } - - // At this stage, ensure the authentication cookie contains the required ClaimTypes.NameIdentifier claim. - // If it cannot be found, don't handle the logout request at this stage and continue to the next middleware. - var identifier = context.HttpContext.User.GetClaim(ClaimTypes.NameIdentifier); - if (!string.IsNullOrEmpty(identifier)) { - // When the client application sends an id_token_hint parameter, the corresponding identity can be retrieved using - // AuthenticateAsync and used as a way to determine whether the logout request has been sent by a legit caller. - // If the token cannot be extracted, don't handle the logout request at this stage and continue to the next middleware. - var principal = await context.HttpContext.Authentication.AuthenticateAsync(context.Options.AuthenticationScheme); - if (principal != null && principal.HasClaim(ClaimTypes.NameIdentifier, identifier)) { - services.Logger.LogInformation("The user '{Username}' was successfully logged out without requiring confirmation.", - services.Users.GetUserName(principal)); - - // Delete the ASP.NET Core Identity cookies. - await services.SignIn.SignOutAsync(); - - // Redirect the user agent back to the client application. - await context.HttpContext.Authentication.SignOutAsync(context.Options.AuthenticationScheme); - - // Mark the response as handled - // to skip the rest of the pipeline. - context.HandleResponse(); - - return; - } - - else { - services.Logger.LogInformation("The logout request was not silently processed because " + - "the id_token_hint parameter was missing or invalid or " + - "didn't correspond to the logged in user."); - } - } - - else { - services.Logger.LogWarning("The logout request was not silently processed because the mandatory " + - "ClaimTypes.NameIdentifier claim was missing from the current principal."); - } - // If no request_id parameter can be found in the current request, assume the OpenID Connect // request was not serialized yet and store the entire payload in the distributed cache // to make it easier to flow across requests and internal/external logout workflows.