Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.0k views
in Technique[技术] by (71.8m points)

asp.net core - How to logout all clients from Identity Server?

Identity Server and two clients (SSO): .Net Core MVC and Nodejs.

When I log in with Nodejs client, after refresh MVC (second client) I got logged MVC client. It's good. But when I logout from Nodejs it send back-channel logout url to MVC client. Nodejs doesn't have problems with logout. But MVC client - after browser refresh it stay logged. I read this and this posts but they didn't help.

When in MVC Startup i wrote this code:

options.Events = new OpenIdConnectEvents
{
OnTicketReceived = (e) =>
 {
  e.Properties.IsPersistent = true;
  e.Properties.ExpiresUtc = DateTimeOffset.UtcNow.AddMinutes(2);

  return Task.CompletedTask;
}
};

After two minutes I refresh browser and MVC redirect to Idrsv login page. Its good, but not safe (need to wait 2 minutes).

I read about userId claim cache but I doubt - if it will be a lot of active sessions, then cache will be very big and app will work slowly.

I can do with front-channel logout, but I read about cons, and now I doubt.

What do you prefer for logout all clients from Identity Server?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

In the samples the logout is performed using iframes on the logged out page. If this page is skipped or aborted, clients may not be informed. But I don't think that's the case.

I'd rather prefer a safer backend logout that doesn't rely on iframes. Take a look at my answer here for an example.

Now about the client. Non-javascript clients do need a roundtrip to update the cookie. So the flow is: user logs out from client A. IdentityServer informs other clients (backchannel) and removes server cookie.

And now the (non-javascript) client has to take action. It also needs to remove the cookie, but that is only possible after the user performs an action.

And that's where the caching comes in. The cache only contains the alert from the server. On the first opportunity it removes the cookie and also removes the user from the cache. So the cache will in fact stay quite small. Do add some cleanup code to remove logged out users (that never returned) with cookies that are expired.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

2.1m questions

2.1m answers

60 comments

57.0k users

...