Rework WsFed RemoteSignOutPath logic to work with ADFS #1581

Tratcher · Tratcher · commit 9ebfc5634a42 · 2018-01-04T11:59:57.000-08:00
diff --git a/src/Microsoft.AspNetCore.Authentication.WsFederation/WsFederationHandler.cs b/src/Microsoft.AspNetCore.Authentication.WsFederation/WsFederationHandler.cs
@@ -57,8 +57,12 @@ public WsFederationHandler(IOptionsMonitor<WsFederationOptions> options, ILogger
         /// <returns></returns>
         public override Task<bool> HandleRequestAsync()
         {
-            if (Options.RemoteSignOutPath.HasValue && Options.RemoteSignOutPath == Request.Path)
+            // RemoteSignOutPath and CallbackPath may be the same, fall through if the message doesn't match.
+            if (Options.RemoteSignOutPath.HasValue && Options.RemoteSignOutPath == Request.Path && HttpMethods.IsGet(Request.Method)
+                && string.Equals(Request.Query[WsFederationConstants.WsFederationParameterNames.Wa],
+                    WsFederationConstants.WsFederationActions.SignOutCleanup, StringComparison.OrdinalIgnoreCase))
             {
+                // We've received a remote sign-out request
                 return HandleRemoteSignOutAsync();
             }
 
@@ -374,18 +378,12 @@ public async virtual Task SignOutAsync(AuthenticationProperties properties)
         }
 
         /// <summary>
-        /// Handles requests to the RemoteSignOutPath and signs out the user.
+        /// Handles wsignoutcleanup1.0 messages sent to the RemoteSignOutPath
         /// </summary>
         /// <returns></returns>
         protected virtual async Task<bool> HandleRemoteSignOutAsync()
         {
-            WsFederationMessage message = null;
-
-            if (string.Equals(Request.Method, "GET", StringComparison.OrdinalIgnoreCase))
-            {
-                message = new WsFederationMessage(Request.Query.Select(pair => new KeyValuePair<string, string[]>(pair.Key, pair.Value)));
-            }
-
+            var message = new WsFederationMessage(Request.Query.Select(pair => new KeyValuePair<string, string[]>(pair.Key, pair.Value)));
             var remoteSignOutContext = new RemoteSignOutContext(Context, Scheme, Options, message);
             await Events.RemoteSignOut(remoteSignOutContext);
 
@@ -403,15 +401,8 @@ protected virtual async Task<bool> HandleRemoteSignOutAsync()
                 }
             }
 
-            if (message == null
-                || !string.Equals(message.Wa, WsFederationConstants.WsFederationActions.SignOutCleanup, StringComparison.OrdinalIgnoreCase))
-            {
-                return false;
-            }
-
             Logger.RemoteSignOut();
 
-            // We've received a remote sign-out request
             await Context.SignOutAsync(Options.SignOutScheme);
             return true;
         }
diff --git a/src/Microsoft.AspNetCore.Authentication.WsFederation/WsFederationOptions.cs b/src/Microsoft.AspNetCore.Authentication.WsFederation/WsFederationOptions.cs
@@ -33,7 +33,10 @@ public class WsFederationOptions : RemoteAuthenticationOptions
         public WsFederationOptions()
         {
             CallbackPath = "/signin-wsfed";
-            RemoteSignOutPath = "/signout-wsfed";
+            // In ADFS the cleanup messages are sent to the same callback path as the initial login.
+            // In AAD it sends the cleanup message to a random Reply Url and there's no deterministic way to configure it.
+            //  If you manage to get it configured, then you can set RemoteSignOutPath accordingly.
+            RemoteSignOutPath = "/signin-wsfed";
             Events = new WsFederationEvents();
         }
 
@@ -163,7 +166,7 @@ public TokenValidationParameters TokenValidationParameters
         public bool AllowUnsolicitedLogins { get; set; }
 
         /// <summary>
-        /// Requests received on this path will cause the handler to invoke SignOut using the SignInScheme.
+        /// Requests received on this path will cause the handler to invoke SignOut using the SignOutScheme.
         /// </summary>
         public PathString RemoteSignOutPath { get; set; }
 
diff --git a/test/Microsoft.AspNetCore.Authentication.WsFederation.Test/WsFederationTest.cs b/test/Microsoft.AspNetCore.Authentication.WsFederation.Test/WsFederationTest.cs
@@ -117,7 +117,7 @@ public async Task RemoteSignoutRequestTriggersSignout()
         {
             var httpClient = CreateClient();
 
-            var response = await httpClient.GetAsync("/signout-wsfed?wa=wsignoutcleanup1.0");
+            var response = await httpClient.GetAsync("/signin-wsfed?wa=wsignoutcleanup1.0");
             response.EnsureSuccessStatusCode();
 
             var cookie = response.Headers.GetValues(HeaderNames.SetCookie).Single();

Original file line number	Diff line number	Diff line change
`@@ -57,8 +57,12 @@ public WsFederationHandler(IOptionsMonitor<WsFederationOptions> options, ILogger`
`57`	`57`	`/// <returns></returns>`
`58`	`58`	`public override Task<bool> HandleRequestAsync()`
`59`	`59`	`{`
`60`		`- if (Options.RemoteSignOutPath.HasValue && Options.RemoteSignOutPath == Request.Path)`
	`60`	`+ // RemoteSignOutPath and CallbackPath may be the same, fall through if the message doesn't match.`
	`61`	`+ if (Options.RemoteSignOutPath.HasValue && Options.RemoteSignOutPath == Request.Path && HttpMethods.IsGet(Request.Method)`
	`62`	`+ && string.Equals(Request.Query[WsFederationConstants.WsFederationParameterNames.Wa],`
	`63`	`+ WsFederationConstants.WsFederationActions.SignOutCleanup, StringComparison.OrdinalIgnoreCase))`
`61`	`64`	`{`
	`65`	`+ // We've received a remote sign-out request`
`62`	`66`	`return HandleRemoteSignOutAsync();`
`63`	`67`	`}`
`64`	`68`
`@@ -374,18 +378,12 @@ public async virtual Task SignOutAsync(AuthenticationProperties properties)`
`374`	`378`	`}`
`375`	`379`
`376`	`380`	`/// <summary>`
`377`		`- /// Handles requests to the RemoteSignOutPath and signs out the user.`
	`381`	`+ /// Handles wsignoutcleanup1.0 messages sent to the RemoteSignOutPath`
`378`	`382`	`/// </summary>`
`379`	`383`	`/// <returns></returns>`
`380`	`384`	`protected virtual async Task<bool> HandleRemoteSignOutAsync()`
`381`	`385`	`{`
`382`		`- WsFederationMessage message = null;`
`383`		`-`
`384`		`- if (string.Equals(Request.Method, "GET", StringComparison.OrdinalIgnoreCase))`
`385`		`- {`
`386`		`- message = new WsFederationMessage(Request.Query.Select(pair => new KeyValuePair<string, string[]>(pair.Key, pair.Value)));`
`387`		`- }`
`388`		`-`
	`386`	`+ var message = new WsFederationMessage(Request.Query.Select(pair => new KeyValuePair<string, string[]>(pair.Key, pair.Value)));`
`389`	`387`	`var remoteSignOutContext = new RemoteSignOutContext(Context, Scheme, Options, message);`
`390`	`388`	`await Events.RemoteSignOut(remoteSignOutContext);`
`391`	`389`
`@@ -403,15 +401,8 @@ protected virtual async Task<bool> HandleRemoteSignOutAsync()`
`403`	`401`	`}`
`404`	`402`	`}`
`405`	`403`
`406`		`- if (message == null`
`407`		`- \|\| !string.Equals(message.Wa, WsFederationConstants.WsFederationActions.SignOutCleanup, StringComparison.OrdinalIgnoreCase))`
`408`		`- {`
`409`		`- return false;`
`410`		`- }`
`411`		`-`
`412`	`404`	`Logger.RemoteSignOut();`
`413`	`405`
`414`		`- // We've received a remote sign-out request`
`415`	`406`	`await Context.SignOutAsync(Options.SignOutScheme);`
`416`	`407`	`return true;`
`417`	`408`	`}`
Original file line number	Diff line number	Diff line change
`@@ -117,7 +117,7 @@ public async Task RemoteSignoutRequestTriggersSignout()`
`117`	`117`	`{`
`118`	`118`	`var httpClient = CreateClient();`
`119`	`119`
`120`		`- var response = await httpClient.GetAsync("/signout-wsfed?wa=wsignoutcleanup1.0");`
	`120`	`+ var response = await httpClient.GetAsync("/signin-wsfed?wa=wsignoutcleanup1.0");`
`121`	`121`	`response.EnsureSuccessStatusCode();`
`122`	`122`
`123`	`123`	`var cookie = response.Headers.GetValues(HeaderNames.SetCookie).Single();`