Open Closed

Not logout when Authentication Flow with Keycloak. #1397


User avatar
0
hungvt created
  • ABP Framework version: v3.2
  • UI type: Angular
  • DB provider: EF Core / MongoDB
  • Tiered (MVC) or Identity Server Separated (Angular): yes
  • Exception message and stack trace:
  • Steps to reproduce the issue:
  • I used Keycloak with SSO, code as:
        {
            JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
            JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Add("sub", ClaimTypes.NameIdentifier);
            context.Services.AddAuthentication()
                .AddIdentityServerAuthentication(options =>
                {
                    options.Authority = configuration["AuthServer:Authority"];
                    options.RequireHttpsMetadata = false;
                    options.ApiName = "newPMS";
                    options.JwtBackChannelHandler = new HttpClientHandler()
                    {
                        ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator
                    };
                })
                .AddOpenIdConnect("KeyCloakOpenId", "Ord key cloak", options =>
                {
                  //  options.SignInScheme = IdentityConstants.ExternalScheme;
                    options.Authority = configuration["Authentication:KeyCloak:Authority"];
                    options.ClientId = configuration["Authentication:KeyCloak:ClientId"];
                    options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
                    options.CallbackPath = "/signin-oidc";
                    options.SignedOutRedirectUri = configuration["App:SelfUrl"];
                    options.ClientSecret = configuration["Authentication:KeyCloak:ClientSecret"];
                    options.RequireHttpsMetadata = false;
                    options.GetClaimsFromUserInfoEndpoint = true;
                    options.SaveTokens = true;
                    options.Scope.Add("offline_access email");
                });
        }
  • I custom file LoggedOutModel
 [Dependency(ReplaceServices = true)]
    [ExposeServices(typeof(LoggedOutModel))]
    public class CustomLogoutModel : LoggedOutModel
    {
        private readonly IConfiguration _configuration;

        public CustomLogoutModel(IConfiguration configuration)
        {
            _configuration = configuration;
        }

        public override async Task<IActionResult> OnGetAsync()
        {
            await HttpContext.SignOutAsync("KeyCloakOpenId", new AuthenticationProperties()
            {
                RedirectUri = "/"
            });

            await base.OnGetAsync();
            return Redirect("/");
        }
    }
  • When click logout button in Angular UI then not logout in page Keycloak:
  • I want when log out in Angular UI then also log out in page Keycloak.
  • Thank!

6 Answer(s)
  • User Avatar
    0
    alper created
    Support Team Director

    I think you need to configure Identity Server for front channel logout. I'll share you a link which is similar to your requirement https://support.aspnetzero.com/QA/Questions/9809/How-do-I-implement-logout-all-client-with-Identity-Server-4#answer-7d351498-32de-92e6-a92b-39f8bf30a871

  • User Avatar
    0
    hungvt created

    Hi albert I can't access the link :https://support.aspnetzero.com/QA/Questions/9809/How-do-I-implement-logout-all-client-with-Identity-Server-4#answer-7d351498-32de-92e6-a92b-39f8bf30a871 Can you guide me in detail here? Thank!

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

  • User Avatar
    0
    hungvt created

    Hi @maliming please give me the link! Thank!

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    HI

    The link is the alper shared. But you said you can't access it.

    https://support.aspnetzero.com/QA/Questions/9809/How-do-I-implement-logout-all-client-with-Identity-Server-4#answer-7d351498-32de-92e6-a92b-39f8bf30a871


    Hello @trungbttsd,

    I think implementing front-channel logout will solve your problem. However it is a bit complicated and tricky at first glance.

    Updating IdentityServer Clients

    You need to update your identityServer clients with the following:

    • Set FrontChannelLogoutUri to $"{webClientRootUrl}Account/FrontChannelLogout". webClientRootUrl will be your client url. We'll implement FrontChannelLogout method in AccountController
    • Set FrontChannelLogoutRequired to true

    Updating AccountController

    • Add FrontChannelLogout method to your AccountController. Sample code is here.
    • Update your Logout method in your AccountController. Sample code is here. You need to get logoutContext using logoutId. LogoutContext has information of PostLogoutRedirectUri and SignOutIFrameUrl. So you can redirect to SignedOut (or LoggedOut) page to display the iframe that will signout of all other clients.

    Add LoggedOut Page

    You need to add a new page to redirect after logging out, to signout from other clients and/or redirect back to your client. You can see sample implementations of our LoggedOut.cshtml and LoggedOut.cshtml.cs.

    I hope this will be helpful.

  • User Avatar
    0
    hungvt created

    Thanks team! Solved

Made with ❤️ on ABP v9.1.0-preview. Updated on December 13, 2024, 06:09