Rework WsFed RemoteSignOutPath logic to work with ADFS #1581

Author: Tratcher

src/Microsoft.AspNetCore.Authentication.WsFederation/WsFederationHandler.cs

@@ -57,8 +57,11 @@ public WsFederationHandler(IOptionsMonitor<WsFederationOptions> options, ILogger
         /// <returns></returns>
         public override Task<bool> HandleRequestAsync()
         {
-            if (Options.RemoteSignOutPath.HasValue && Options.RemoteSignOutPath == Request.Path)
+            if (Options.RemoteSignOutPath.HasValue && Options.RemoteSignOutPath == Request.Path && HttpMethods.IsGet(Request.Method)
+                && string.Equals(Request.Query[WsFederationConstants.WsFederationParameterNames.Wa],
+                    WsFederationConstants.WsFederationActions.SignOutCleanup, StringComparison.OrdinalIgnoreCase))
             {
+                // We've received a remote sign-out request
                 return HandleRemoteSignOutAsync();
             }
 
@@ -374,18 +377,12 @@ public async virtual Task SignOutAsync(AuthenticationProperties properties)
         }
 
         /// <summary>
-        /// Handles requests to the RemoteSignOutPath and signs out the user.
+        /// Handles wsignoutcleanup1.0 messages sent to the RemoteSignOutPath
         /// </summary>
         /// <returns></returns>
         protected virtual async Task<bool> HandleRemoteSignOutAsync()
         {
-            WsFederationMessage message = null;
-
-            if (string.Equals(Request.Method, "GET", StringComparison.OrdinalIgnoreCase))
-            {
-                message = new WsFederationMessage(Request.Query.Select(pair => new KeyValuePair<string, string[]>(pair.Key, pair.Value)));
-            }
-
+            var message = new WsFederationMessage(Request.Query.Select(pair => new KeyValuePair<string, string[]>(pair.Key, pair.Value)));
             var remoteSignOutContext = new RemoteSignOutContext(Context, Scheme, Options, message);
             await Events.RemoteSignOut(remoteSignOutContext);
 
@@ -403,15 +400,8 @@ protected virtual async Task<bool> HandleRemoteSignOutAsync()
                 }
             }
 
-            if (message == null
-                || !string.Equals(message.Wa, WsFederationConstants.WsFederationActions.SignOutCleanup, StringComparison.OrdinalIgnoreCase))
-            {
-                return false;
-            }
-
             Logger.RemoteSignOut();
 
-            // We've received a remote sign-out request
             await Context.SignOutAsync(Options.SignOutScheme);
             return true;
         }

src/Microsoft.AspNetCore.Authentication.WsFederation/WsFederationOptions.cs

@@ -33,7 +33,10 @@ public class WsFederationOptions : RemoteAuthenticationOptions
         public WsFederationOptions()
         {
             CallbackPath = "/signin-wsfed";
-            RemoteSignOutPath = "/signout-wsfed";
+            // In ADFS the cleanup messages are sent to the same callback path as the initial login.
+            // In AAD it sends the cleanup message to a random Reply Url and there's no deterministic way to configure it.
+            //  If you manage to get it configured, then you can set RemoteSignOutPath accordingly.
+            RemoteSignOutPath = "/signin-wsfed";
             Events = new WsFederationEvents();
         }
 
@@ -163,7 +166,7 @@ public TokenValidationParameters TokenValidationParameters
         public bool AllowUnsolicitedLogins { get; set; }
 
         /// <summary>
-        /// Requests received on this path will cause the handler to invoke SignOut using the SignInScheme.
+        /// Requests received on this path will cause the handler to invoke SignOut using the SignOutScheme.
         /// </summary>
         public PathString RemoteSignOutPath { get; set; }