Identity Server 4 /connect/endsession failing "The resource you are looking for has been removed...."

Question

• Using Identity Server 4
• Asp.Net Core MVC client successfully login

• When logging out from client getting error on url https://identity.acme.com/connect/endsession.... (complete url listed below)

  "The resource you are looking for has been removed, had its name changed, or is temporarily unavailable."

AccountController.Logout calls

await HttpContext.SignOutAsync("Cookies");
await HttpContext.SignOutAsync("oidc");

The Url in the browser is:

https://identity.acme.com/connect/endsession?post_logout_redirect_uri=https%3A%2F%2Fadmin.acme.com%2Fsignout-callback-oidc&id_token_hint=eyJhbGciOiJSUzI1NiIsImtpZCI6IkQ1NjY2RURGQjNFM0M3MDdCNkJCRUFCNEU3NTU3Q0NDNTNBOTc2Q0IiLCJ0eXAiOiJKV1QiLCJ4NXQiOiIxV1p1MzdQanh3ZTJ1LXEwNTFWOHpGT3Bkc3MifQ.eyJuYmYiOjE1MjM4NTI5NDMsImV4cCI6MTUyMzg1NjU0MywiaXNzIjoiaHR0cHM6Ly9pZGVudGl0eS50eXBzeS5jb20iLCJhdWQiOiJ0eXBzeS1pbmRpdmlkdWFsIiwibm9uY2UiOiI2MzY1OTQ0OTczMzc2OTAzMjQuTkRFME5EVXlORFF0WldOaU9TMDBOMkkzTFRrM01UY3RZVFl3WldRNVl6UmpObUk1WkRkaE5UUmtNVGN0WWpjM1lTMDBPVE16TFdFeU5tSXRZekpqWW1SaFptWTBPV1EzIiwiaWF0IjoxNTIzODUyOTQzLCJhdF9oYXNoIjoidkZacmdQUUI2UHd5VzBDeUhCV3QzdyIsInNpZCI6IjFlYjQxYzgwYjhmNGUxMTQ4MjViNDhiNmY4OWE1ZWY3Iiwic3ViIjoiYTAxNjI0MzAtZWIyMi00MTU0LWJmNTktMGJhNDliZmQ0NzNkIiwiYXV0aF90aW1lIjoxNTIzODUyOTQxLCJpZHAiOiJsb2NhbCIsIkFzcE5ldC5JZGVudGl0eS5TZWN1cml0eVN0YW1wIjoiMGM1YzQyNTQtOTM4NS00MWFiLWI5MTktNDFhZjgyOTFlNjljIiwiT3JnYW5pc2F0aW9uIjoiRmFuZXRpYyIsImdpdmVuX25hbWUiOiJKdXN0aW4iLCJmYW1pbHlfbmFtZSI6IkRyZXJ1cCIsInJvbGUiOlsiU3R1ZGVudCIsIkFkbWluaXN0cmF0b3IiLCJNYW5hZ2VyIiwiQWRtaW4iLCJUeXBzeS1PcmciXSwicHJlZmVycmVkX3VzZXJuYW1lIjoianVzdGluZEB0eXBzeS5jb20iLCJuYW1lIjoianVzdGluZEB0eXBzeS5jb20iLCJlbWFpbCI6Imp1c3RpbmRAdHlwc3kuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImFtciI6WyJwd2QiXX0.ifQJVB25rAB3HP30F9vtRvzLZ9dHjORHX7cKoG6SLLR3WqGzpoCkjnq10ijffjj2QbsvjxRPvsYPgbVxISwP04V79RFTHqZI7Z39vsBSZSGeJnkhQLXCvMs9i6F4-aiHR9dF3KTMCMOXFfiG0stG69vIMPckUHuTh5yT5a_nFSL4lebLb5AOpPHto8TtTy6SvFOGp7uyXw7d_KVQ3U9lo4RTYvPVePgq9bZf1DcaOL_gutj2EmHVrNc9kDIQRxK4rTbjx2kFrxD2LauEmh-OXTdzjOqtXLQF2jRwV4sGvPImiBOt75vLMlJJUP8B7sEm61bR50hfOqpycm46PO_awryxWGvqItjrYe8P0OQtuaQghCkesjToW4_OPHHQJIX2jXLN3i0SvfmPEB41pqmP73cKvCjMAMeCllfZ8pfRwzsbzvWKYZ2jZkF4CT6zQq4pEGblEl12yC-I59gqRYozhxz1hiPep4KkgHZ40VRjCR5LNu8Mmx2qp8B7xwyfzes1r7VnCeMJJd7LNqRRdE6mszj7vaZdvHb8n7UDud1hzktYLoVUENodCo4KrGuD7QwT28q8IK2sbtcK_98aLap2WeXcuDMsP5zbrGS2Vb3N4YezdqEU7YJjvk9tvdMdafTYe4LKNaq-cDHVnJh_pmXJsL6odwz9eXkddJBPzhHXf6M&state=CfDJ8Pr81inWVH5OlYUuWwOTfYygcAOv4qo4Jl03Su6yhd8WHQz8m-LK-vBDM8CjSBrqjNLz4Qdqx8759Wpts3AsgHnf997vKLyWqQSOgTQPOpy5qyouRMRmHEsk-h5BnQR4_SHIkzo5_kgJQ0xROmsqUD4Aq3o0zYd-rI-GYHiii7P_&x-client-SKU=ID_NET&x-client-ver=2.1.4.0

To the best of my knowledge this was working for many months. I can't see any change in the code that would have impacted this so suspect it is environmental.

I have turned on logging and the /connect/endsession doesn't even appear to be triggered. All other events are logged.

In development, it works and the logging shows the endpoint being called:

Endpoint enabled: "Endsession", successfully created handler: "IdentityServer4.Endpoints.EndSessionEndpoint"
Request path "/connect/endsession" matched to endpoint type "Endsession"

The client has the correct PostLogoutRedirectUris configured in IdentityServer4 Config.cs

PostLogoutRedirectUris =
                {
                    "https://admin.acme.com/signout-callback-oidc"
                },

Interestingly, if I manually edit the Url to remove the

post_logout_redirect_uri=https%3A%2F%2Fadmin.acme.com%2Fsignout-callback-oidc& 

and submit then I'm successfully redirected to Identity Server to the LoggedOut page.

If I remove the

.AddOpenIdConnect("oidc", options =>
{
    options.SignedOutRedirectUri = "https://admin.acme.com";
}   

from the startup.cs then I can successfully logout from the client (however there is no longer a redirect post logout)

Can anyone explain what is happening?

UPDATE - Is it a length of URL issue?

• I've done some more investigation
• when i remove the post_logout_redirect_uri=https%3a%2f%2fadmin.acme.com%2fsignout-callback-oidc& it doesn't always work - this is a clarification on what I said before.
• If I remove everything from state=xxxx onwards then the url is accepted, Identity Server runs and it successfully redirects back to https://admin.acme.com/signout-callback-oidc however it is missing the state=xxxxx

• I can then append the state parameter to the redirected Url and the process completes https://admin.acme.com/signout-callback-oidc?state=CfDJ8Pr81inWVH5OlYUuWwOTfYygcAOv4qo4Jl03Su6yhd8WHQz8m-LK-vBDM8CjSBrqjNLz4Qdqx8759Wpts3AsgHnf997vKLyWqQSOgTQPOpy5qyouRMRmHEsk-h5BnQR4_SHIkzo5_kgJQ0xROmsqUD4Aq3o0zYd-rI-GYHiii7P_&x-client-SKU=ID_NET&x-client-ver=2.1.4.0

• The Url (un-altered) is 2135 characters

• I also did a test by shortening some of the characters from the overall url to 2095 characters (taking from state=) and Identity Server is triggered (but the state code is invalid as I've altered it)
• So whenever the url is over 2095 characters it is failing.

This makes me question if this is an issue with the server not accepting a long url?

Answer 1

Based on the debugging outlined in the question I determined this appeared to be an issue with Url length.

• I followed the guidance in this article https://leastprivilege.com/2016/12/14/optimizing-identity-tokens-for-size/ and this article https://leastprivilege.com/2017/11/15/missing-claims-in-the-asp-net-core-2-openid-connect-handler/ and this article https://leastprivilege.com/2017/11/15/missing-claims-in-the-asp-net-core-2-openid-connect-handler/ to reduce the number of claims being returned and hence the size of the token.
• This resulted in the problem going away.
• I still don't know why this suddenly stopped working (noting that the size or number of claims hadn't changed)

A positive outcome is that I had to dive much deeper into understanding how Identity Server works and I've managed to optimise the overall sign-on process and speed significantly as well as improve my overall implementation.

In summary - these are some of the changes I made:

Don't return

IdentityServerConstants.StandardScopes.Profile

Set

AlwaysIncludeUserClaimsInIdToken = false

and use

public async Task GetProfileDataAsync(ProfileDataRequestContext context)

to provide the claims you need (as well as not returning claims my client was not using)