Adds support for logging out when using an external authentication provider

Author: ryannewington

src/Lithnet.Laps.Web/Lithnet.Laps.Web/App_LocalResources/UIMessages.Designer.cs

@@ -165,4 +165,7 @@
   <data name="RateLimitError" xml:space="preserve">
     <value>You have exceeded the maximum number of requests allowed in a specified period of time</value>
   </data>
+  <data name="LoggedOut" xml:space="preserve">
+    <value>You have been logged out. Please close all browser windows.</value>
+  </data>
 </root>

src/Lithnet.Laps.Web/Lithnet.Laps.Web/App_LocalResources/UIMessages.resx

@@ -25,6 +25,11 @@ body {
     text-align: center;
 }
 
+.center-content {
+    align-items: center;
+    text-align: center;
+}
+
 .app-logo {
     max-width: 200px;
 }
@@ -253,3 +258,7 @@ body {
         margin-top: 0;
     }
 }
+
+.logout-link {
+    color: #777;
+}

src/Lithnet.Laps.Web/Lithnet.Laps.Web/Content/Site.css

@@ -18,5 +18,24 @@ public ActionResult AuthNError()
         {
             return this.View();
         }
+
+        public ActionResult SignOut()
+        {
+            if (this.Request.GetOwinContext().Authentication.User.Identity.IsAuthenticated)
+            {
+                this.Request.GetOwinContext()
+                    .Authentication
+                    .SignOut(this.HttpContext.GetOwinContext()
+                        .Authentication.GetAuthenticationTypes()
+                        .Select(o => o.AuthenticationType).ToArray());
+            }
+
+            return this.View("LogOut");
+        }
+
+        public ActionResult LogOut()
+        {
+            return this.View();
+        }
     }
 }

src/Lithnet.Laps.Web/Lithnet.Laps.Web/Controllers/HomeController.cs

@@ -19,5 +19,7 @@ protected void Application_Start()
             RouteConfig.RegisterRoutes(RouteTable.Routes);
             BundleConfig.RegisterBundles(BundleTable.Bundles);
         }
+
+        public static bool CanLogout => Startup.CanLogout && (HttpContext.Current?.User?.Identity?.IsAuthenticated ?? false);
     }
 }

src/Lithnet.Laps.Web/Lithnet.Laps.Web/Global.asax.cs

@@ -396,6 +396,7 @@
     <Content Include="Scripts\popper-utils.js.map" />
     <Content Include="Views\Lap\Show.cshtml" />
     <Content Include="Views\Home\AuthNError.cshtml" />
+    <Content Include="Views\Home\LogOut.cshtml" />
   </ItemGroup>
   <ItemGroup />
   <ItemGroup>

src/Lithnet.Laps.Web/Lithnet.Laps.Web/Lithnet.Laps.Web.csproj

@@ -1,32 +1,30 @@
-using Microsoft.Owin;
-using Owin;
-using Microsoft.Owin.Security;
-using Microsoft.Owin.Security.Cookies;
-using Microsoft.Owin.Security.OpenIdConnect;
-using System.Threading.Tasks;
-using Microsoft.IdentityModel.Protocols.OpenIdConnect;
-using System.Configuration;
-using System.Security.Claims;
-using IdentityModel.Client;
-using System;
+using System;
 using System.Collections.Generic;
+using System.Configuration;
 using System.DirectoryServices.AccountManagement;
-using System.Threading;
+using System.Security.Claims;
+using System.Threading.Tasks;
 using System.Web;
 using System.Web.Helpers;
+using IdentityModel.Client;
 using Lithnet.Laps.Web.App_LocalResources;
 using Microsoft.IdentityModel.Logging;
-using Microsoft.IdentityModel.Protocols.WsFederation;
+using Microsoft.IdentityModel.Protocols.OpenIdConnect;
 using Microsoft.IdentityModel.Tokens;
 using Microsoft.Owin.Host.SystemWeb;
+using Microsoft.Owin.Security;
+using Microsoft.Owin.Security.Cookies;
 using Microsoft.Owin.Security.Notifications;
+using Microsoft.Owin.Security.OpenIdConnect;
 using Microsoft.Owin.Security.WsFederation;
 using NLog;
+using Owin;
 
 namespace Lithnet.Laps.Web
 {
     public class Startup
     {
+        internal static bool CanLogout = false;
         internal static string ClaimName { get; set; } = "upn";
 
         internal static IdentityType ClaimType { get; set; } = IdentityType.UserPrincipalName;
@@ -39,12 +37,15 @@ public class Startup
         private readonly string postLogoutRedirectUri = ConfigurationManager.AppSettings["oidc:PostLogoutRedirectUri"];
 
         private readonly string realm = ConfigurationManager.AppSettings["ida:wtrealm"];
+        private readonly string signOutWreply = ConfigurationManager.AppSettings["ida:signOutWreply"];
         private readonly string metadata = ConfigurationManager.AppSettings["ida:metadata"];
 
         private static readonly Logger logger = LogManager.GetCurrentClassLogger();
 
         public void ConfigureOpenIDConnect(IAppBuilder app)
         {
+            Startup.CanLogout = true;
+
             Startup.ClaimName = ConfigurationManager.AppSettings["oidc:claimName"] ?? ClaimTypes.Upn;
 
             if (Enum.TryParse(ConfigurationManager.AppSettings["oidc:claimType"], out IdentityType claimType))
@@ -56,7 +57,7 @@ public void ConfigureOpenIDConnect(IAppBuilder app)
                 Startup.ClaimType = IdentityType.UserPrincipalName;
             }
 
-            AntiForgeryConfig.UniqueClaimTypeIdentifier = ConfigurationManager.AppSettings["oidc:uniqueClaimTypeIdentifier"] ?? ClaimTypes.NameIdentifier;
+            AntiForgeryConfig.UniqueClaimTypeIdentifier = ConfigurationManager.AppSettings["oidc:uniqueClaimTypeIdentifier"] ?? ClaimTypes.PrimarySid;
 
             string responseType = ConfigurationManager.AppSettings["oidc:responseType"] ?? OpenIdConnectResponseType.IdToken;
 
@@ -76,10 +77,11 @@ public void ConfigureOpenIDConnect(IAppBuilder app)
                 RedirectUri = this.redirectUri,
                 ResponseType = responseType,
                 Scope = OpenIdConnectScope.OpenIdProfile,
-                PostLogoutRedirectUri = this.postLogoutRedirectUri,
+                PostLogoutRedirectUri = this.postLogoutRedirectUri ?? new Uri(new Uri(this.redirectUri.Trim('/', '\\')), "Home/LogOut").ToString(),
                 TokenValidationParameters = new TokenValidationParameters
                 {
-                    NameClaimType = "name"
+                    NameClaimType = "name",
+                    SaveSigninToken = true
                 },
 
                 Notifications = new OpenIdConnectAuthenticationNotifications
@@ -88,12 +90,6 @@ public void ConfigureOpenIDConnect(IAppBuilder app)
                     {
                         try
                         {
-                            if (responseType == OpenIdConnectResponseType.IdToken)
-                            {
-                                return;
-                            }
-                            
-                            // Exchange code for access and ID tokens
                             OpenIdConnectConfiguration config = await n.Options.ConfigurationManager.GetConfigurationAsync(n.Request.CallCancelled).ConfigureAwait(false);
 
                             TokenClient tokenClient = new TokenClient(config.TokenEndpoint, this.clientId, this.clientSecret);
@@ -124,7 +120,12 @@ public void ConfigureOpenIDConnect(IAppBuilder app)
                             n.Response.Redirect($"/Home/AuthNError?message={HttpUtility.UrlEncode(ex.Message)}");
                         }
                     },
-                    SecurityTokenValidated = Startup.FindClaimIdentityInDirectoryOrFail,
+                    SecurityTokenValidated = n =>
+                    {
+                        ClaimsIdentity user = n.AuthenticationTicket.Identity;
+                        user.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken));
+                        return Startup.FindClaimIdentityInDirectoryOrFail(n);
+                    },
                     RedirectToIdentityProvider = n =>
                     {
                         // If signing out, add the id_token_hint
@@ -148,12 +149,15 @@ public void ConfigureOpenIDConnect(IAppBuilder app)
 
         public void ConfigureWindowsAuth(IAppBuilder app)
         {
+            Startup.CanLogout = false;
+            AntiForgeryConfig.UniqueClaimTypeIdentifier = ConfigurationManager.AppSettings["ida:uniqueClaimTypeIdentifier"] ?? ClaimTypes.PrimarySid;
             ClaimName = ClaimTypes.PrimarySid;
             ClaimType = IdentityType.Sid;
         }
 
         public void ConfigureWsFederation(IAppBuilder app)
         {
+            Startup.CanLogout = true;
             Startup.ClaimName = ConfigurationManager.AppSettings["ida:claimName"] ?? ClaimTypes.Upn;
 
             if (Enum.TryParse(ConfigurationManager.AppSettings["ida:claimType"], out IdentityType claimType))
@@ -167,7 +171,7 @@ public void ConfigureWsFederation(IAppBuilder app)
 
             app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
 
-            AntiForgeryConfig.UniqueClaimTypeIdentifier = ConfigurationManager.AppSettings["ida:uniqueClaimTypeIdentifier"] ?? ClaimTypes.NameIdentifier;
+            AntiForgeryConfig.UniqueClaimTypeIdentifier = ConfigurationManager.AppSettings["ida:uniqueClaimTypeIdentifier"] ?? ClaimTypes.PrimarySid;
 
             app.UseCookieAuthentication(new CookieAuthenticationOptions
             {
@@ -182,6 +186,7 @@ public void ConfigureWsFederation(IAppBuilder app)
                 {
                     Wtrealm = this.realm,
                     MetadataAddress = this.metadata,
+                    SignOutWreply = this.signOutWreply ?? new Uri(new Uri(this.realm.Trim('/', '\\')), "Home/LogOut").ToString(),
                     Notifications = new WsFederationAuthenticationNotifications
                     {
                         SecurityTokenValidated = Startup.FindClaimIdentityInDirectoryOrFail,
@@ -193,7 +198,6 @@ public void ConfigureWsFederation(IAppBuilder app)
         private static Task HandleAuthNFailed<TMessage, TOptions>(AuthenticationFailedNotification<TMessage, TOptions> context)
         {
             Reporting.LogErrorEvent(EventIDs.OwinAuthNError, LogMessages.AuthNProviderError, context.Exception);
-
             context.HandleResponse();
             context.Response.Redirect($"/Home/AuthNError?message={HttpUtility.UrlEncode(context.Exception?.Message ?? "Unknown error")}");
 

src/Lithnet.Laps.Web/Lithnet.Laps.Web/Startup.cs

@@ -0,0 +1,14 @@
+@using System.Configuration
+@{
+    ViewBag.Title = "Logged out";
+}
+
+<div class="form-container">
+    <fieldset>
+        <section>
+            <div class="center-content">
+                @UIMessages.LoggedOut
+            </div>
+        </section>
+    </fieldset>
+</div>

src/Lithnet.Laps.Web/Lithnet.Laps.Web/Views/Home/LogOut.cshtml

@@ -7,9 +7,9 @@
 <div class="form-container">
     @using (Html.BeginForm("Get", "Lap", FormMethod.Post))
     {
-    <header>
-        @UIMessages.HeadingRequestPassword
-    </header>
+        <header>
+            @UIMessages.HeadingRequestPassword
+        </header>
         <fieldset>
 
             <section>
@@ -33,8 +33,10 @@
         </fieldset>
 
         <footer>
-            @Html.AntiForgeryToken()
-            <button type="submit" class="btn btn-primary">@UIMessages.ButtonRequestPassword</button>
+            <div class="center-content">
+                @Html.AntiForgeryToken()
+                <button type="submit" class="btn btn-primary">@UIMessages.ButtonRequestPassword</button>
+            </div>
         </footer>
     }
 </div>

src/Lithnet.Laps.Web/Lithnet.Laps.Web/Views/Lap/Get.cshtml

@@ -42,10 +42,11 @@
     </fieldset>
 
     <footer>
-        @using (Html.BeginForm("Get", "Lap", FormMethod.Get))
-        {
-            <button type="submit" class="btn btn-primary">@UIMessages.ButtonRequestAnotherPassword</button>
-        }
+        <div class="center-content">
+            @using (Html.BeginForm("Get", "Lap", FormMethod.Get))
+            {
+                <button type="submit" class="btn btn-primary">@UIMessages.ButtonRequestAnotherPassword</button>
+            }
+        </div>
     </footer>
-
 </div>