Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signout IFrame URLs (endsession/callback) are provided even if there are no clients to signout from #1543

Open
aomader opened this issue Jan 15, 2025 · 2 comments
Open

Signout IFrame URLs (endsession/callback) are provided even if there are no clients to signout from #1543

aomader opened this issue Jan 15, 2025 · 2 comments
Labels
IdentityServer

Comments

@aomader
Copy link

aomader commented Jan 15, 2025
edited
Loading

Which version of Duende IdentityServer are you using?
7.0.8

Which version of .NET are you using?
.NET8

Describe the bug

The signout iframe URL (targeting the endsession callback) is generated even if the clients the user is signed into don't have a FrontChannelLogoutUri and calling that endsession callback is useless in this case.

Maybe I am missing here some details, but if so, please enlighten me.

To Reproduce

Get the logout context for a user that signed into a client that has no FrontChannelLogoutUri. The URL towards the endsession callback (the iframe URL) is still generated, although it is a noop.

Expected behavior

No iframe URL (i.e., null), since there is nothing to do.

Otherwise, there is a need to show an intermediate page for some time to load the iframe URL in the browser.

Additional Context

Asking as an Enterprise License user.
@aomader aomader changed the title Signout IFrame URLs are provided even if there are no clients to signout from Signout IFrame URLs (endsession/callback) are provided even if there are no clients to signout from Jan 15, 2025
@RolandGuijt
Copy link

The way this works is that IdentityServer creates a URL which the browser then uses to get an iFrame that will access the URL you're seeing in the logout context for each client.
When the client doesn't have a session or no FrontChannelLogoutUri configured that UrL returns an empty result. If that isn't the case it will return an iFrame pointing to a URL that ends the session.
So eventually we end up with a parent iFrame that contains child iFrames for each client that has a session and a FrontChannelLogoutUri.

So it's correct that you see the URL being generated, it will just not return anything if there's no FrontChannelLogoutUri.

@aomader
Copy link
Author

aomader commented Jan 22, 2025

I am not sure I can fully follow, at least not the justification, or I am not seeing where this addresses the question.

So assuming there are no FrontChannelLogoutUris configured for any client and I get a logout context for a user signed into some of them. At that point, IdentityServer will happily provide me with a signout iframe URL that I need to provide to the user agent.

The issue is now that in this exact case, that signout iframe URL will resolve to a basically empty document, since there are no FrontChannelLogoutUris. Additionally, as I see it, that endpoint isn't doing anything else except for generating that list of sub-iframes, which again, would in this case be empty. Hence, the requirement to include this signout iframe at all seems pointless, so why should the IdentityServer generate it in the first place? It just forces the user flow to show a redirection page without there being an actual need for it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
IdentityServer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aomader @RolandGuijt