You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi,
I have implemented AspNetIdentity .NET8 using Duende 7.0.4 together with OIDC and it works great for desktop browsers and Android app where cookies work well. Problem is with iOS where cookies are not sent with requests. Main problem is with logout requests and ticket store.
I have configured ITicketStore for default Identity.Application scheme
If there is a logout request using connect/endsession endpoint than CookieAuthenticationHandler.HandleSignOutAsync() method is called internally which, if threre is a cookie sent with request, successfully deletes ticket from session store.
Problem is with iOS mobile app. By default no cookie is send together with logout request so no ticket is deleted from session store and sessions remains there forever (if there is no automatic deletion of expired tickets).
So my questions are. What is the best practice using OIDC and iOS? Should we make sure than cookies are also sent on iOS or is there another way how to delete ticket from session store without cookie?
One one what I tried was to add [Authorize] attribute on account/logout endpoint which is internally called after connect/endsession endpoint is processed. Than iOS app sends accessToken together with connect/endsession request and ticket from session store was deleted manualy using sid (session ID) claim from HttpContext.User. But I am not sure if this is right way.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hi,
I have implemented AspNetIdentity .NET8 using Duende 7.0.4 together with OIDC and it works great for desktop browsers and Android app where cookies work well. Problem is with iOS where cookies are not sent with requests. Main problem is with logout requests and ticket store.
I have configured ITicketStore for default Identity.Application scheme
If there is a logout request using connect/endsession endpoint than CookieAuthenticationHandler.HandleSignOutAsync() method is called internally which, if threre is a cookie sent with request, successfully deletes ticket from session store.
Problem is with iOS mobile app. By default no cookie is send together with logout request so no ticket is deleted from session store and sessions remains there forever (if there is no automatic deletion of expired tickets).
So my questions are. What is the best practice using OIDC and iOS? Should we make sure than cookies are also sent on iOS or is there another way how to delete ticket from session store without cookie?
One one what I tried was to add [Authorize] attribute on account/logout endpoint which is internally called after connect/endsession endpoint is processed. Than iOS app sends accessToken together with connect/endsession request and ticket from session store was deleted manualy using sid (session ID) claim from HttpContext.User. But I am not sure if this is right way.
Thanks for your help.
Tomáš
Beta Was this translation helpful? Give feedback.
All reactions