Fixed issue where redirects triggered by AdditionalSignOutType were ignored. Updated IdentityServer sample

Author: scottbrady91

src/Hosts/Hosts.IdentityServerAuthentication/Controllers/LoginController.cs

@@ -0,0 +1,81 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.Claims;
+using System.Threading.Tasks;
+using Hosts.Shared.InMemory;
+using IdentityManager2;
+using IdentityServer4;
+using IdentityServer4.Services;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+
+namespace Hosts.IdentityServerAuthentication
+{
+    public class LoginController : Controller
+    {
+        private readonly ICollection<InMemoryUser> users;
+        private readonly IIdentityServerInteractionService interactionService;
+
+        public LoginController(ICollection<InMemoryUser> users, IIdentityServerInteractionService interactionService)
+        {
+            this.users = users ?? throw new ArgumentNullException(nameof(users));
+            this.interactionService = interactionService ?? throw new ArgumentNullException(nameof(interactionService));
+        }
+
+        [HttpGet("login")]
+        public IActionResult Login(string returnUrl)
+        {
+            return View(new LoginModel {ReturnUrl = returnUrl});
+        }
+
+        [HttpPost("login")]
+        [ValidateAntiForgeryToken]
+        public async Task<IActionResult> Login(LoginModel model)
+        {
+            var user = users.FirstOrDefault(x => x.Username == model.Username && x.Password == model.Password);
+
+            if (user != null)
+            {
+                var claims = new List<Claim>
+                {
+                    new Claim("sub", user.Subject),
+                    new Claim("name", user.Username)
+                };
+
+                foreach (var role in user.Claims.Where(x => x.Type == IdentityManagerConstants.ClaimTypes.Role))
+                {
+                    claims.Add(new Claim(IdentityManagerConstants.ClaimTypes.Role, role.Value));
+                }
+
+                var identityServerUser = new IdentityServerUser(user.Subject) {AdditionalClaims = claims};
+                await HttpContext.SignInAsync(identityServerUser);
+
+                if (Url.IsLocalUrl(model.ReturnUrl)) return LocalRedirect(model.ReturnUrl);
+                return LocalRedirect("~/");
+            }
+
+            ModelState.AddModelError("", "Invalid username or password");
+            return View(model);
+        }
+
+        [HttpGet("logout")]
+        public async Task<IActionResult> Logout(string logoutId)
+        {
+            await HttpContext.SignOutAsync();
+
+            var logoutContext = await interactionService.GetLogoutContextAsync(logoutId);
+            if (logoutContext.PostLogoutRedirectUri != null) return Redirect(logoutContext.PostLogoutRedirectUri);
+            
+            return Redirect("/idm");
+        }
+    }
+
+    public class LoginModel
+    {
+        public string Username { get; set; }
+        public string Password { get; set; }
+        public string ReturnUrl { get; set; }
+    }
+}

src/Hosts/Hosts.IdentityServerAuthentication/Hosts.IdentityServerAuthentication.csproj

@@ -5,7 +5,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="IdentityServer4" Version="3.1.0-preview.1.4" />
+    <PackageReference Include="IdentityServer4" Version="3.1.0" />
   </ItemGroup>
 
   <ItemGroup>

src/Hosts/Hosts.IdentityServerAuthentication/Properties/launchSettings.json

@@ -3,7 +3,8 @@
     "Host.IdentityServerAuthentication": {
       "commandName": "Project",
       "launchBrowser": true,
-      "applicationUrl": "http://localhost:5000",
+      "launchUrl": "https://localhost:5000/idm",
+      "applicationUrl": "https://localhost:5000",
       "environmentVariables": {
         "ASPNETCORE_ENVIRONMENT": "Development"
       }

src/Hosts/Hosts.IdentityServerAuthentication/Startup.cs

@@ -1,17 +1,12 @@
 using System;
 using System.Collections.Generic;
 using System.IdentityModel.Tokens.Jwt;
-using System.Security.Claims;
-using System.Threading.Tasks;
+using System.Linq;
 using Hosts.Shared.InMemory;
 using IdentityManager2.Configuration;
-using IdentityServer4;
 using IdentityServer4.Models;
 using IdentityServer4.Test;
-using Microsoft.AspNetCore.Authentication;
-using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.AspNetCore.Builder;
-using Microsoft.AspNetCore.Routing;
 using Microsoft.Extensions.DependencyInjection;
 
 namespace Hosts.IdentityServerAuthentication
@@ -26,32 +21,42 @@ public void ConfigureServices(IServiceCollection services)
                         new SecurityConfiguration
                         {
                             HostAuthenticationType = "cookie",
-                            HostChallengeType = "oidc"
+                            HostChallengeType = "oidc",
+                            AdditionalSignOutType = "oidc"
                         })
                 .AddIdentityMangerService<InMemoryIdentityManagerService>();
 
-            var admin = new TestUser
-            {
-                SubjectId = "123",
-                Username = "scott",
-                Password = "scott",
-                Claims = {new Claim("role", "IdentityManagerAdministrator")}
-            };
-
+            var rand = new Random();
+            var identityManagerUsers = Users.Get(rand.Next(5000, 20000));
+            services.AddSingleton(x => identityManagerUsers);
+            services.AddSingleton(x => Roles.Get(rand.Next(15)));
+            
             var client = new Client
             {
                 ClientId = "identitymanager2",
                 ClientName = "IdentityManager2",
                 AllowedGrantTypes = GrantTypes.Implicit,
-                RedirectUris = {"http://localhost:5000/idm/signin-oidc"},
+                RedirectUris = {"https://localhost:5000/idm/signin-oidc"},
                 AllowedScopes = {"openid", "profile", "roles"},
                 RequireConsent = false
             };
 
             var roles = new IdentityResource("roles", new List<string> {"role"});
 
-            services.AddIdentityServer()
-                .AddTestUsers(new List<TestUser> {admin})
+            var identityServerUsers = identityManagerUsers.Select(x => new TestUser
+            {
+                SubjectId = x.Subject,
+                Username = x.Username,
+                Password = x.Password,
+                Claims = x.Claims
+            }).ToList();
+
+            services.AddIdentityServer(options =>
+                {
+                    options.UserInteraction.LoginUrl = "/login";
+                    options.UserInteraction.LogoutUrl = "/logout";
+                })
+                .AddTestUsers(identityServerUsers)
                 .AddInMemoryIdentityResources(new List<IdentityResource> {new IdentityResources.OpenId(), new IdentityResources.Profile(), roles})
                 .AddInMemoryApiResources(new List<ApiResource>())
                 .AddInMemoryClients(new List<Client> {client})
@@ -63,7 +68,7 @@ public void ConfigureServices(IServiceCollection services)
                 .AddCookie("cookie")
                 .AddOpenIdConnect("oidc", opt =>
                 {
-                    opt.Authority = "http://localhost:5000/auth";
+                    opt.Authority = "https://localhost:5000/auth";
                     opt.ClientId = "identitymanager2";
 
                     // default: openid & profile
@@ -72,16 +77,7 @@ public void ConfigureServices(IServiceCollection services)
                     opt.RequireHttpsMetadata = false; // dev only
                     opt.SignInScheme = "cookie";
                     opt.CallbackPath = "/signin-oidc";
-
-                    opt.Events = new OpenIdConnectEvents
-                    {
-                        OnTokenValidated = context => Task.CompletedTask
-                    };
                 });
-
-            var rand = new Random();
-            services.AddSingleton(x => Users.Get(rand.Next(5000, 20000)));
-            services.AddSingleton(x => Roles.Get(rand.Next(15)));
         }
 
         public void Configure(IApplicationBuilder app)
@@ -90,16 +86,11 @@ public void Configure(IApplicationBuilder app)
 
             app.Map("/auth", auth =>
             {
+                auth.UseRouting();
+                
                 auth.UseIdentityServer();
-
-                // Force authentication
-                auth.Map("/account/login",
-                    login => login.Use(async (context, func) =>
-                    {
-                        await context.SignInAsync(IdentityServerConstants.DefaultCookieAuthenticationScheme,
-                            new ClaimsPrincipal(new ClaimsIdentity(new List<Claim> {new Claim("sub", "123")}, IdentityServerConstants.DefaultCookieAuthenticationScheme)));
-                        context.Response.Redirect(context.Request.Query["returnUrl"]);
-                    }));
+                
+                auth.UseEndpoints(x => x.MapDefaultControllerRoute());
             });
 
             app.Map("/idm", idm =>
@@ -111,10 +102,7 @@ await context.SignInAsync(IdentityServerConstants.DefaultCookieAuthenticationSch
 
                 idm.UseIdentityManager();
 
-                idm.UseEndpoints(x =>
-                {
-                    x.MapDefaultControllerRoute();
-                });
+                idm.UseEndpoints(x => x.MapDefaultControllerRoute());
             });
 
         }

src/Hosts/Hosts.IdentityServerAuthentication/Views/Login/Login.cshtml

@@ -0,0 +1,39 @@
+@model Hosts.IdentityServerAuthentication.LoginModel
+
+@{
+    ViewBag.Title = "Login";
+}
+
+<div class="row pt-3">
+    <div class="col-12">
+        <h1 class="h2">Login using Local Cookie <small class="text-muted">"cookie" scheme</small></h1>
+        <div class="row">
+            <div class="col-lg-8">
+                <form asp-action="Login" method="post">
+                    <input asp-for="ReturnUrl" type="hidden"/>
+                    <div class="form-group">
+                        <label asp-for="Username"></label>
+                        <input asp-for="Username" class="form-control" required />
+                    </div>
+                    <div class="form-group">
+                        <label asp-for="Password"></label>
+                        <input asp-for="Password" class="form-control" required type="password" />
+                    </div>
+                    <button class="btn btn-primary" type="submit">Submit</button>
+                </form>
+            </div>
+            <div class="col-lg-4">
+                <div class="alert alert-info text-break">
+                    <p>
+                        Authorized IdentityManager users:
+                    </p>
+                    <ul>
+                        <li>alice:alice</li>
+                        <li>bob:bob</li>
+                        <li><em>any other user with the IdentityManagerAdministrator role</em></li>
+                    </ul>
+                </div>
+            </div>
+        </div>
+    </div>
+</div>

src/Hosts/Hosts.IdentityServerAuthentication/Views/Shared/_Layout.cshtml

@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+    <title>@ViewBag.Title</title>
+    <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css"
+          integrity="sha384-Vkoo8x4CGsO3+Hhxv8T/Q5PaXtkKtu6ug5TOeNV6gBiFeWPGFN9MuhOf23Q9Ifjh" crossorigin="anonymous">
+</head>
+<body>
+    <div class="container">
+        @RenderBody()
+    </div>
+    <script src="https://code.jquery.com/jquery-3.4.1.slim.min.js" integrity="sha384-J6qa4849blE2+poT4WnyKhv5vZF5SrPo0iEjwBvKU7imGFAV0wwj1yYfoRSJoZ+n" crossorigin="anonymous"></script>
+    <script src="https://cdn.jsdelivr.net/npm/popper.js@1.16.0/dist/umd/popper.min.js" integrity="sha384-Q6E9RHvbIyZFJoft+2mJbHaEWldlvI9IOYy5n3zV9zzTtmI3UksdQRVvoxMfooAo" crossorigin="anonymous"></script>
+    <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/js/bootstrap.min.js" integrity="sha384-wfSDF2E50Y2D1uUdj0O3uMBJnjuUD4Ih7YwaYd1iqfktj0Uod8GCExl3Og8ifwB6" crossorigin="anonymous"></script>
+</body>
+</html>

src/Hosts/Hosts.IdentityServerAuthentication/Views/_ViewImports.cshtml

@@ -0,0 +1 @@
+@addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers

src/Hosts/Hosts.IdentityServerAuthentication/Views/_ViewStart.cshtml

@@ -0,0 +1,3 @@
+@{
+    Layout = "_Layout";
+}

src/IdentityManager2/Api/Controllers/PageController.cs

@@ -76,6 +76,9 @@ public async Task<IActionResult> Logout()
 
             await config.SecurityConfiguration.SignOut(HttpContext);
 
+            // if a signout scheme has started a redirect
+            if (HttpContext.Response.StatusCode == 302) return StatusCode(302);
+            
             return RedirectToRoute(IdentityManagerConstants.RouteNames.Home, null);
         }
     }