Duende Software
Headers are read-only exception during logging out #134
-
IdentityServer version7.1.1 .NET version8.0 DescriptionIf a saml2 logout request (from a identity provider) is sent to our service which is using duende identity server act as a saml2 service provider, then Duende.IdentityServer.Hosting.FederatedSignOut will throw a system invalid exception that "Headers are read-only, response has already started." Reproduction steps
Expected behaviorNo response LogsSystem.InvalidOperationException:
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpHeaders.ThrowHeadersReadOnlyException (Microsoft.AspNetCore.Server.Kestrel.Core, Version=8.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpResponseHeaders.Microsoft.AspNetCore.Http.IHeaderDictionary.set_CacheControl (Microsoft.AspNetCore.Server.Kestrel.Core, Version=8.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60)
at Duende.IdentityServer.Extensions.HttpResponseExtensions.SetNoCache (Duende.IdentityServer, Version=7.1.1.0, Culture=neutral, PublicKeyToken=null: /_/src/IdentityServer/Extensions/HttpResponseExtensions.cs:69)
at Duende.IdentityServer.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper+<RenderResponseAsync>d__11.MoveNext (Duende.IdentityServer, Version=7.1.1.0, Culture=neutral, PublicKeyToken=null: /_/src/IdentityServer/Hosting/FederatedSignOut/AuthenticationRequestHandlerWrapper.cs:88)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at Duende.IdentityServer.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper+<ProcessFederatedSignOutRequestAsync>d__10.MoveNext (Duende.IdentityServer, Version=7.1.1.0, Culture=neutral, PublicKeyToken=null: /_/src/IdentityServer/Hosting/FederatedSignOut/AuthenticationRequestHandlerWrapper.cs:78)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at Duende.IdentityServer.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper+<HandleRequestAsync>d__6.MoveNext (Duende.IdentityServer, Version=7.1.1.0, Culture=neutral, PublicKeyToken=null: /_/src/IdentityServer/Hosting/FederatedSignOut/AuthenticationRequestHandlerWrapper.cs:49)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware+<Invoke>d__6.MoveNext (Microsoft.AspNetCore.Authentication, Version=8.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at Duende.IdentityServer.Hosting.DynamicProviders.DynamicSchemeAuthenticationMiddleware+<Invoke>d__3.MoveNext (Duende.IdentityServer, Version=7.1.1.0, Culture=neutral, PublicKeyToken=null: /_/src/IdentityServer/Hosting/DynamicProviders/DynamicSchemes/DynamicSchemeAuthenticationMiddleware.cs:51)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at Duende.IdentityServer.Hosting.BaseUrlMiddleware+<Invoke>d__2.MoveNext (Duende.IdentityServer, Version=7.1.1.0, Culture=neutral, PublicKeyToken=null: /_/src/IdentityServer/Hosting/BaseUrlMiddleware.cs:27)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at start up of our application....
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol+<ProcessRequests>d__238`1.MoveNext (Microsoft.AspNetCore.Server.Kestrel.Core, Version=8.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60)Additional contextNo response |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 6 replies
-
|
Are you using the Saml2 Http POST binding for the logout to the Saml2 provider? That binding writes a body to the response which will cause the headers to be flushed. When the IdentityServer FederatedSignOut.AuthenticationRequestHandlerWrapper tries to set the headers that is no longer possible. It is usually better to configure the Saml2 library to use the Http Redirect binding for logout. |
Beta Was this translation helpful? Give feedback.
-
|
You would have to refer to the RSK Saml2 documentation/support if that's the library you are using. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you very much for answer, we will check then that documentation. I would have a question more: why does duende identity server check response status code (redirection or post) before federated logout will be processed? Thank you for your answer. You already help me to think about an alternative solution. |
Beta Was this translation helpful? Give feedback.
-
|
Duende IdentityServer intercepts logout to be able to notify its clients about a logout. It looks like there might be a conflict here between the IdentityServer plumbing and the Saml2 logout model where the SP (in this case IdentityServer is the SP) is expected to redirect back to the provider. Is this happening when an upstream Saml2 provider issues a logout request to IdentityServer? |
Beta Was this translation helpful? Give feedback.
-
|
What do you mean with upstream provider? In our case, our identity provider (idp) sends to our identity server (sp) a post saml2 logout request, which causes the exception. If our identity server (sp) sends a post saml2 logout request to our identity provider (idp) and the idp sends a post logout response to our sp, there is no exception. We also have another SP which is using another saml provider, it does not get the exception in the same case. I think there could be some conflict between rsk saml2 logout and duende identity server as you assumed. |
Beta Was this translation helpful? Give feedback.
-
|
If your IdentityServer acts as an SP to a Saml Idp, i use the term upstream provider for that Saml Idp. What you describe makes sense. The logout interception that IdentityServer does to handle single logout for it's clients is obviously causing a conflict with RSK's Saml2 implementation. If you would be able to switch the Saml2 plugin to use a redirect binding for the logout response that would remove the exception, but it would break single logout to IdentityServer clients. I think that this is a question for RSK support to handle as their plugin does not work well with IdentityServer in this case. |
Beta Was this translation helpful? Give feedback.
Are you using the Saml2 Http POST binding for the logout to the Saml2 provider? That binding writes a body to the response which will cause the headers to be flushed. When the IdentityServer FederatedSignOut.AuthenticationRequestHandlerWrapper tries to set the headers that is no longer possible.
It is usually better to configure the Saml2 library to use the Http Redirect binding for logout.