You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Which version of Duende IdentityServer are you using?
7.0.6
Which version of .NET are you using?
.NET 8
Hi,
I have implemented AspNetIdentity together with OIDC and it works great for desktop browsers and Android app where cookies work well. Problem is with iOS where cookies are not sent with requests. Main problem is with logout requests and ticket store.
I have configured ITicketStore for default Identity.Application scheme
If there is a logout request using connect/endsession endpoint than CookieAuthenticationHandler.HandleSignOutAsync() method is called internally which, if threre is a cookie sent with request, successfully deletes ticket from session store.
Problem is with iOS mobile app. By default no cookie is send together with logout request so no ticket is deleted from session store and sessions remains there forever (if there is no automatic deletion of expired tickets).
So my questions are. What is the best practice using OIDC and iOS? Should we make sure than cookies are also sent on iOS or is there another way how to delete ticket from session store without cookie?
What I tried was to add [Authorize] attribute on account/logout endpoint which is internally called after connect/endsession endpoint is processed. Than iOS app sends accessToken together with connect/endsession request and ticket from session store was deleted manualy using sid (session ID) claim from HttpContext.User. But I am not sure if this is right way.
Thanks for your help.
Tomáš
The text was updated successfully, but these errors were encountered:
Which version of Duende IdentityServer are you using?
7.0.6
Which version of .NET are you using?
.NET 8
Hi,
I have implemented AspNetIdentity together with OIDC and it works great for desktop browsers and Android app where cookies work well. Problem is with iOS where cookies are not sent with requests. Main problem is with logout requests and ticket store.
I have configured ITicketStore for default Identity.Application scheme
If there is a logout request using connect/endsession endpoint than CookieAuthenticationHandler.HandleSignOutAsync() method is called internally which, if threre is a cookie sent with request, successfully deletes ticket from session store.
Problem is with iOS mobile app. By default no cookie is send together with logout request so no ticket is deleted from session store and sessions remains there forever (if there is no automatic deletion of expired tickets).
So my questions are. What is the best practice using OIDC and iOS? Should we make sure than cookies are also sent on iOS or is there another way how to delete ticket from session store without cookie?
What I tried was to add [Authorize] attribute on account/logout endpoint which is internally called after connect/endsession endpoint is processed. Than iOS app sends accessToken together with connect/endsession request and ticket from session store was deleted manualy using sid (session ID) claim from HttpContext.User. But I am not sure if this is right way.
Thanks for your help.
Tomáš
The text was updated successfully, but these errors were encountered: