aspnetcore: Signout doesn't redirect to redirect uri specified in authentication properties.
Describe the bug
While creating a website using OAuth configured as follows:
builder.Services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = "GitHub";
})
.AddOAuth("GitHub", "GitHub", options =>
{
options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.ClientId = Configuration["ClientId"];
options.ClientSecret = Configuration["ClientSecret"];
options.CallbackPath = new PathString(GithubHttpClient.REDIRECT_ENDOPOINT);
options.AuthorizationEndpoint = "https://github.com/login/oauth/authorize";
options.TokenEndpoint = "https://github.com/login/oauth/access_token";
options.UserInformationEndpoint = "https://api.github.com/user";
options.ClaimsIssuer = "OAuth2-Github";
options.SaveTokens = true;
options.Scope.Add("user");
options.Scope.Add("repo");
options.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "id");
options.ClaimActions.MapJsonKey(ClaimTypes.Name, "login");
options.ClaimActions.MapJsonKey(GithubHttpClient.GITHUB_LOGIN_CLAIM, "login");
options.ClaimActions.MapJsonKey(GithubHttpClient.GITHUB_NAME_CLAIM, "name");
options.ClaimActions.MapJsonKey(GithubHttpClient.GITHUB_URL_CLAIM, "html_url");
options.ClaimActions.MapJsonKey(GithubHttpClient.GITHUB_AVATAR_CLAIM, "avatar_url");
// Retrieving user information is unique to each provider.
options.Events = new OAuthEvents
{
OnCreatingTicket = async context => { await CreateGitHubAuthTicket(context); }
};
})
.AddCookie();
I have a Signout endpoint defined as follows:
[HttpGet("~/logout")]
[HttpPost("~/logout")]
public IActionResult SignOutCurrentUser()
{
return SignOut(new AuthenticationProperties { RedirectUri = "/" },
CookieAuthenticationDefaults.AuthenticationScheme);
}
The logout button is defined as:
<a class="btn btn-lg btn-danger" href="/logout?returnUrl=%2F">Sign out</a>
The site successfully signs out after the signout is made, however after the signout is completed, the site is not redirected to "/" which is the RedirectUri, I specified on the SignOut action.
Further technical details
- ASP.NET Core version: 6.0.0-rc.1.21452.15
- Include the output of
dotnet --info:
.NET SDK (reflecting any global.json):
Version: 6.0.100-rc.1.21463.6
Commit: e627d556a1
Runtime Environment:
OS Name: Windows
OS Version: 10.0.22000
OS Platform: Windows
RID: win10-x64
Base Path: C:\Program Files\dotnet\sdk\6.0.100-rc.1.21463.6\
Host (useful for support):
Version: 6.0.0-rc.1.21451.13
Commit: d7619cd4b1
.NET SDKs installed:
3.1.410 [C:\Program Files\dotnet\sdk]
5.0.200-preview.21077.7 [C:\Program Files\dotnet\sdk]
5.0.301 [C:\Program Files\dotnet\sdk]
6.0.100-preview.6.21355.2 [C:\Program Files\dotnet\sdk]
6.0.100-rc.1.21458.32 [C:\Program Files\dotnet\sdk]
6.0.100-rc.1.21463.6 [C:\Program Files\dotnet\sdk]
.NET runtimes installed:
Microsoft.AspNetCore.All 2.1.23 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
Microsoft.AspNetCore.All 2.1.28 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
Microsoft.AspNetCore.App 2.1.23 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 2.1.28 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 3.1.9 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 3.1.16 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 5.0.7 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 6.0.0-preview.6.21355.2 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 6.0.0-rc.1.21452.15 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.NETCore.App 2.1.23 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 2.1.28 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 3.1.9 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 3.1.16 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 6.0.0-preview.6.21352.12 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 6.0.0-preview.7.21360.10 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 6.0.0-rc.1.21451.13 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.WindowsDesktop.App 3.1.9 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 3.1.16 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 6.0.0-preview.6.21353.1 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 6.0.0-rc.1.21451.3 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
- The IDE (VS / VS Code/ VS4Mac) you’re running on, and its version: Microsoft Visual Studio Enterprise 2022 Preview (64-bit) Version 17.0.0 Preview 4.1 [31717.71.d17.0]
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 16 (16 by maintainers)
Yes that restriction is here: https://github.com/dotnet/aspnetcore/blob/a5be6c5916e1a537f3cefcc31985b9f8a1fe0a27/src/Security/Authentication/Cookies/src/CookieAuthenticationHandler.cs#L400-L401 I’m not sure why that exists either, and the comments for it are terrible. https://github.com/dotnet/aspnetcore/blob/a5be6c5916e1a537f3cefcc31985b9f8a1fe0a27/src/Security/Authentication/Cookies/src/CookieAuthenticationOptions.cs#L91
They other thing you can do is to call SignOut explicitly and then redirect as a separate step.
@blowdart we should see if we can at least come up with a good explanation for this restriction.
Thanks for sharing the code. That is an unfortunate behavior… I don’t know if it is documented, I couldn’t find anything about it. Let’s see what aspnetcore folks have to share/say about this behavior.
If you’re interested in the gnarly details, it happens right here: