1

I am working on SSO these Days, We have a main application lets call it A, from where user is login and then using SSO User can access multiple applications related to application A.If user is logout from Application A, then user should be logout from all associated application as well and then redirected back to A's login page. The issue where I am stuck there is one application B which is associated with application A. To logout this application (B) we have to hit a url which logs out the application B. Problem is that when I hit this url from browser the application B logout successfully, but when I try to hit the url from code logout is not working. I have tried following solutions but its is not working

  1. I have tried to hit url using web request.
  2. I have tried Response.Redirect, Redirect, RedirectToAction.
  3. It works when i use below code, but i don't want user to see Application B's logout page which currently user view when logout from main application.

I don't want user to see Application B logout page, instead it should see Application A logout page. Is there any way to hit that url so it logouts the application b? below is my code. Some one told me to open this url in hidden i-frame. I don't how to do this in controller. Below is the code

Blockquote

        public IActionResult Logout() {
   
        string urlLogout = "application/logout.action";
         
          var abc = Redirect(urlLogout); //it's is not working

         return Redirect(urlLogout); //it work's fine 

        }
Improve this question
8
  • Redirect doesn't call anything, it sends a temporary Redirect response (302) to the browser Commented Jan 28, 2021 at 7:18
  • Controller runs on the server, but the logout has to be triggered from the client. I think hitting the url isn't enough. The Auth Token has also to be provided and that is only available in the client browser. You could add some JavaScript AJAX call to your delivered view that will call application B. Commented Jan 28, 2021 at 7:20
  • @Oliver when i hit logout action from browser search bar, it logouts the application Commented Jan 28, 2021 at 7:32
  • @PanagiotisKanavos you are right, But i need to hit the logout url Commented Jan 28, 2021 at 7:42
  • 1
    For checking, what's really being sent over the wire, you should open the developer tools of your browser and take a look at the network tab. Enable "Preserve log" and call the logout url from the search bar. Then search that request in the network tab and take a look at the request headers. Their you'll see some authorization header that's being send and that's only available to the browser and not the server. Commented Jan 28, 2021 at 8:00

1 Answer 1

Reset to default
3

Use the HttpClient to hit the url.

An example would be the following:

static readonly HttpClient client = new HttpClient();
HttpResponseMessage response = await client.GetAsync("application/logout.action");
response.EnsureSuccessStatusCode();
string responseBody = await response.Content.ReadAsStringAsync();

Bear in mind that you should create the full request. This means that you need to add the headers and cookies to the request.

Example of adding the authorization header (this is for client credentials flow, but you get the gist of it).

client.DefaultRequestHeaders.Authorization 
                         = new AuthenticationHeaderValue("Bearer", "Your Oauth token");

Edit after comment

If the above does not work, it means that the logout page of application B does some actions on the client side.

  1. It could be removing the cookies, if information is stored there. This can't be achieved from the application 1 controller as the cookies are accessible per hostname for security reasons.
  2. It could be executing an XHR signoff http call. In this case you are in luck as you could identify it from your browser console and execute it from your own c# code

Worst case scenario, you can create a signoff action in the application B that you can call from c# and invalidate the session. When the user tries to access application B with an invalidated session, then return a 401 error and handle appropriatly.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

The question is really about redirection, not really calling a URL
I think that the OP saying HIT without redirecting, and from his example he means that he jst wants to hit the url.
@AthanasiosKataras I already tried that, its is not working. Yes it want to hit the url, But when i hit from browser it work's fine, but when from code or by api request the url logout is not working
Ok. My guess is that the logout page removes the cookies, that's why your redirect works. If that's the case, then you need to create a new call in application B that will invalidate the session on that application so that even if the cookie exists in your browser it won't validate with the app
I know, but the resulting page could have some javascript that calls an XHR request, thus invalidating the session.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.