ASP.NET Core OpenID Connect 中的单点注销
Single sign-out in ASP.NET Core OpenID Connect
我有许多应用程序通过使用 Auth0 的单点登录 (SSO) 对用户进行身份验证。其中之一是 ASP.NET 核心 MVC 应用程序,它使用 ASP.NET Core OpenID Connect (OIDC) middleware. The single sign-on works fine. For single sign-out from the current app, I'm calling Auth0's /v2/logout endpoint from the OnRedirectToIdentityProviderForSignOut event, per Auth0's quickstart example. However, I don't know how to configure the app to clear the local session when there is an SSO session sign-out from another app. Auth0 mentions:
Redirecting users to the logout endpoint does not cover the scenario where users need to be signed out of all of the applications they used. If you need to provide this functionality you will have to handle this in one of two ways:
Have short timeouts on your local session and redirect to Auth0 at short intervals to re-authenticate. This can be done by calling checkSession from the client which does this redirect in a hidden iFrame. If you take the hidden iFrame approach you need to be aware of rate limits and third-party cookie issues.
Handle this entirely at the application level by providing your applications a way to notify all other applications when a logout occurs.
我的印象是 checkSession 建议是针对 SPA 的。 ASP.NET Core OpenID Connect 中间件如何处理此类 SSO 会话注销?它是否会定期自动与身份验证服务器重新进行身份验证?如果可以,这个频率如何配置?
AddOpenIDConnect 中间件模块有一个专用的 URL 用于侦听,外部提供程序可以在用户注销后调用该模块。
URL 在源 here 中定义,如下所示:
SignedOutCallbackPath = new PathString("/signout-callback-oidc");
RemoteSignOutPath = new PathString("/signout-oidc");
/// <summary>
/// The request path within the application's base path where the user agent will be returned after sign out from the identity provider.
/// See post_logout_redirect_uri from http://openid.net/specs/openid-connect-session-1_0.html#RedirectionAfterLogout.
/// </summary>
public PathString SignedOutCallbackPath { get; set; }
/// <summary>
/// Requests received on this path will cause the handler to invoke SignOut using the SignOutScheme.
/// </summary>
public PathString RemoteSignOutPath { get; set; }
因此,您可以尝试配置 Auth0 以调用 RemoteSignOutPath,这也许对您有用。但是,如果您有很多客户,那么您需要有不同的策略。也许使用更短的访问令牌生命周期?
我接受了 Tore 的回答,因为当 OpenID 身份提供者支持前端通道注销时,这是最好的方法。在我的例子中,Auth0 doesn't support OpenID Connect 前端或后端通道注销:
Other than when Auth0 is using SAML, Auth0 does not natively support Single Logout. Single Logout can be achieved by having each application check the active session after their tokens expire, or you can force log out by terminating your application sessions at the application level.
我通过减少 AddCookie 配置中的 ExpireTimeSpan 在 ASP.NET Core MVC 3.1 中实现了这一点:
public class Startup
{
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(/* ... */)
.AddCookie(options =>
{
options.ExpireTimeSpan = TimeSpan.FromMinutes(1);
});
// ...
}
}
因此,任何用 [Authorize] 修饰的控制器方法都会每分钟自动使用 Auth0 重新进行身份验证。如果 Auth0 会话仍处于活动状态,用户将立即被重定向到目标页面。如果没有,他们将看到 Auth0 登录页面。
我有许多应用程序通过使用 Auth0 的单点登录 (SSO) 对用户进行身份验证。其中之一是 ASP.NET 核心 MVC 应用程序,它使用 ASP.NET Core OpenID Connect (OIDC) middleware. The single sign-on works fine. For single sign-out from the current app, I'm calling Auth0's /v2/logout endpoint from the OnRedirectToIdentityProviderForSignOut event, per Auth0's quickstart example. However, I don't know how to configure the app to clear the local session when there is an SSO session sign-out from another app. Auth0 mentions:
Redirecting users to the logout endpoint does not cover the scenario where users need to be signed out of all of the applications they used. If you need to provide this functionality you will have to handle this in one of two ways:
Have short timeouts on your local session and redirect to Auth0 at short intervals to re-authenticate. This can be done by calling
checkSessionfrom the client which does this redirect in a hidden iFrame. If you take the hidden iFrame approach you need to be aware of rate limits and third-party cookie issues.Handle this entirely at the application level by providing your applications a way to notify all other applications when a logout occurs.
我的印象是 checkSession 建议是针对 SPA 的。 ASP.NET Core OpenID Connect 中间件如何处理此类 SSO 会话注销?它是否会定期自动与身份验证服务器重新进行身份验证?如果可以,这个频率如何配置?
AddOpenIDConnect 中间件模块有一个专用的 URL 用于侦听,外部提供程序可以在用户注销后调用该模块。
URL 在源 here 中定义,如下所示:
SignedOutCallbackPath = new PathString("/signout-callback-oidc");
RemoteSignOutPath = new PathString("/signout-oidc");
/// <summary>
/// The request path within the application's base path where the user agent will be returned after sign out from the identity provider.
/// See post_logout_redirect_uri from http://openid.net/specs/openid-connect-session-1_0.html#RedirectionAfterLogout.
/// </summary>
public PathString SignedOutCallbackPath { get; set; }
/// <summary>
/// Requests received on this path will cause the handler to invoke SignOut using the SignOutScheme.
/// </summary>
public PathString RemoteSignOutPath { get; set; }
因此,您可以尝试配置 Auth0 以调用 RemoteSignOutPath,这也许对您有用。但是,如果您有很多客户,那么您需要有不同的策略。也许使用更短的访问令牌生命周期?
我接受了 Tore 的回答,因为当 OpenID 身份提供者支持前端通道注销时,这是最好的方法。在我的例子中,Auth0 doesn't support OpenID Connect 前端或后端通道注销:
Other than when Auth0 is using SAML, Auth0 does not natively support Single Logout. Single Logout can be achieved by having each application check the active session after their tokens expire, or you can force log out by terminating your application sessions at the application level.
我通过减少 AddCookie 配置中的 ExpireTimeSpan 在 ASP.NET Core MVC 3.1 中实现了这一点:
public class Startup
{
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(/* ... */)
.AddCookie(options =>
{
options.ExpireTimeSpan = TimeSpan.FromMinutes(1);
});
// ...
}
}
因此,任何用 [Authorize] 修饰的控制器方法都会每分钟自动使用 Auth0 重新进行身份验证。如果 Auth0 会话仍处于活动状态,用户将立即被重定向到目标页面。如果没有,他们将看到 Auth0 登录页面。