Signout from ExternalProvider and 2FA
skoruba opened this issue · comments
Hi @damienbod
when I want to sign in via external OIDC provider and it is required 2FA, I am redirected to login page with 2FA which works well. But after that I got the claim called idp
, but with value local
- the information about external IdP is gone.
After attempt to sign out - the redirect to external provider is not execuded because the claim idp
is local
, not oidc
.
Do you have any idea how to configure these things for following scenario?
Thanks!
Jan
Hi Jan
The mapping for the external claims are not mapped to the Principal from the "local" user. You can map these as required in the account controller method which handles the callback from the external provider. In this method the external principal is cleaned up, so you can change this, persist this as needed.
Greetings Damien
Hello @damienbod
thank you for your idea - I probable solved this issue with custom implementation of SignInManager and method SignInWithClaimsAsync
- https://github.com/skoruba/IdentityServer4.Admin/blob/dev/src/Skoruba.IdentityServer4.STS.Identity/Helpers/ApplicationSignInManager.cs#L60-L66
I think this issue was connected to this behaviour of idp
claim here:
https://github.com/IdentityServer/IdentityServer4/blob/main/src/IdentityServer4/src/Hosting/IdentityServerAuthenticationService.cs#L125-L143
We added in this method - SignInWithClaimsAsync
- also id_token
for correct signout from External IdP.
Thanks!
Jan