asp.net-core asp.net-identity identityserver4 openid-connect

Identity Server 4 /connect/endsession failing "The resource you are looking for has been removed...."

Using Identity Server 4
Asp.Net Core MVC client successfully login
When logging out from client getting error on url https://identity.acme.com/connect/endsession.... (complete url listed below)

"The resource you are looking for has been removed, had its name changed, or is temporarily unavailable."

AccountController.Logout calls

await HttpContext.SignOutAsync("Cookies");
await HttpContext.SignOutAsync("oidc");

The Url in the browser is:

https://identity.acme.com/connect/endsession?post_logout_redirect_uri=https%3A%2F%2Fadmin.acme.com%2Fsignout-callback-oidc&id_token_hint=eyJhbGciOiJSUzI1NiIsImtpZCI6IkQ1NjY2RURGQjNFM0M3MDdCNkJCRUFCNEU3NTU3Q0NDNTNBOTc2Q0IiLCJ0eXAiOiJKV1QiLCJ4NXQiOiIxV1p1MzdQanh3ZTJ1LXEwNTFWOHpGT3Bkc3MifQ.eyJuYmYiOjE1MjM4NTI5NDMsImV4cCI6MTUyMzg1NjU0MywiaXNzIjoiaHR0cHM6Ly9pZGVudGl0eS50eXBzeS5jb20iLCJhdWQiOiJ0eXBzeS1pbmRpdmlkdWFsIiwibm9uY2UiOiI2MzY1OTQ0OTczMzc2OTAzMjQuTkRFME5EVXlORFF0WldOaU9TMDBOMkkzTFRrM01UY3RZVFl3WldRNVl6UmpObUk1WkRkaE5UUmtNVGN0WWpjM1lTMDBPVE16TFdFeU5tSXRZekpqWW1SaFptWTBPV1EzIiwiaWF0IjoxNTIzODUyOTQzLCJhdF9oYXNoIjoidkZacmdQUUI2UHd5VzBDeUhCV3QzdyIsInNpZCI6IjFlYjQxYzgwYjhmNGUxMTQ4MjViNDhiNmY4OWE1ZWY3Iiwic3ViIjoiYTAxNjI0MzAtZWIyMi00MTU0LWJmNTktMGJhNDliZmQ0NzNkIiwiYXV0aF90aW1lIjoxNTIzODUyOTQxLCJpZHAiOiJsb2NhbCIsIkFzcE5ldC5JZGVudGl0eS5TZWN1cml0eVN0YW1wIjoiMGM1YzQyNTQtOTM4NS00MWFiLWI5MTktNDFhZjgyOTFlNjljIiwiT3JnYW5pc2F0aW9uIjoiRmFuZXRpYyIsImdpdmVuX25hbWUiOiJKdXN0aW4iLCJmYW1pbHlfbmFtZSI6IkRyZXJ1cCIsInJvbGUiOlsiU3R1ZGVudCIsIkFkbWluaXN0cmF0b3IiLCJNYW5hZ2VyIiwiQWRtaW4iLCJUeXBzeS1PcmciXSwicHJlZmVycmVkX3VzZXJuYW1lIjoianVzdGluZEB0eXBzeS5jb20iLCJuYW1lIjoianVzdGluZEB0eXBzeS5jb20iLCJlbWFpbCI6Imp1c3RpbmRAdHlwc3kuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImFtciI6WyJwd2QiXX0.ifQJVB25rAB3HP30F9vtRvzLZ9dHjORHX7cKoG6SLLR3WqGzpoCkjnq10ijffjj2QbsvjxRPvsYPgbVxISwP04V79RFTHqZI7Z39vsBSZSGeJnkhQLXCvMs9i6F4-aiHR9dF3KTMCMOXFfiG0stG69vIMPckUHuTh5yT5a_nFSL4lebLb5AOpPHto8TtTy6SvFOGp7uyXw7d_KVQ3U9lo4RTYvPVePgq9bZf1DcaOL_gutj2EmHVrNc9kDIQRxK4rTbjx2kFrxD2LauEmh-OXTdzjOqtXLQF2jRwV4sGvPImiBOt75vLMlJJUP8B7sEm61bR50hfOqpycm46PO_awryxWGvqItjrYe8P0OQtuaQghCkesjToW4_OPHHQJIX2jXLN3i0SvfmPEB41pqmP73cKvCjMAMeCllfZ8pfRwzsbzvWKYZ2jZkF4CT6zQq4pEGblEl12yC-I59gqRYozhxz1hiPep4KkgHZ40VRjCR5LNu8Mmx2qp8B7xwyfzes1r7VnCeMJJd7LNqRRdE6mszj7vaZdvHb8n7UDud1hzktYLoVUENodCo4KrGuD7QwT28q8IK2sbtcK_98aLap2WeXcuDMsP5zbrGS2Vb3N4YezdqEU7YJjvk9tvdMdafTYe4LKNaq-cDHVnJh_pmXJsL6odwz9eXkddJBPzhHXf6M&state=CfDJ8Pr81inWVH5OlYUuWwOTfYygcAOv4qo4Jl03Su6yhd8WHQz8m-LK-vBDM8CjSBrqjNLz4Qdqx8759Wpts3AsgHnf997vKLyWqQSOgTQPOpy5qyouRMRmHEsk-h5BnQR4_SHIkzo5_kgJQ0xROmsqUD4Aq3o0zYd-rI-GYHiii7P_&x-client-SKU=ID_NET&x-client-ver=2.1.4.0

To the best of my knowledge this was working for many months. I can't see any change in the code that would have impacted this so suspect it is environmental.

I have turned on logging and the /connect/endsession doesn't even appear to be triggered. All other events are logged.

In development, it works and the logging shows the endpoint being called:

Endpoint enabled: "Endsession", successfully created handler: "IdentityServer4.Endpoints.EndSessionEndpoint"
Request path "/connect/endsession" matched to endpoint type "Endsession"

The client has the correct PostLogoutRedirectUris configured in IdentityServer4 Config.cs

PostLogoutRedirectUris =
                {
                    "https://admin.acme.com/signout-callback-oidc"
                },

Interestingly, if I manually edit the Url to remove the

post_logout_redirect_uri=https%3A%2F%2Fadmin.acme.com%2Fsignout-callback-oidc&

and submit then I'm successfully redirected to Identity Server to the LoggedOut page.

If I remove the

.AddOpenIdConnect("oidc", options =>
{
    options.SignedOutRedirectUri = "https://admin.acme.com";
}

from the startup.cs then I can successfully logout from the client (however there is no longer a redirect post logout)

Can anyone explain what is happening?

UPDATE - Is it a length of URL issue?

I've done some more investigation
when i remove the post_logout_redirect_uri=https%3a%2f%2fadmin.acme.com%2fsignout-callback-oidc& it doesn't always work - this is a clarification on what I said before.
If I remove everything from state=xxxx onwards then the url is accepted, Identity Server runs and it successfully redirects back to https://admin.acme.com/signout-callback-oidc however it is missing the state=xxxxx
I can then append the state parameter to the redirected Url and the process completes https://admin.acme.com/signout-callback-oidc?state=CfDJ8Pr81inWVH5OlYUuWwOTfYygcAOv4qo4Jl03Su6yhd8WHQz8m-LK-vBDM8CjSBrqjNLz4Qdqx8759Wpts3AsgHnf997vKLyWqQSOgTQPOpy5qyouRMRmHEsk-h5BnQR4_SHIkzo5_kgJQ0xROmsqUD4Aq3o0zYd-rI-GYHiii7P_&x-client-SKU=ID_NET&x-client-ver=2.1.4.0
The Url (un-altered) is 2135 characters
I also did a test by shortening some of the characters from the overall url to 2095 characters (taking from state=) and Identity Server is triggered (but the state code is invalid as I've altered it)
So whenever the url is over 2095 characters it is failing.

This makes me question if this is an issue with the server not accepting a long url?

Solution

Based on the debugging outlined in the question I determined this appeared to be an issue with Url length.

I followed the guidance in this article https://leastprivilege.com/2016/12/14/optimizing-identity-tokens-for-size/ and this article https://leastprivilege.com/2017/11/15/missing-claims-in-the-asp-net-core-2-openid-connect-handler/ and this article https://leastprivilege.com/2017/11/15/missing-claims-in-the-asp-net-core-2-openid-connect-handler/ to reduce the number of claims being returned and hence the size of the token.
This resulted in the problem going away.
I still don't know why this suddenly stopped working (noting that the size or number of claims hadn't changed)

A positive outcome is that I had to dive much deeper into understanding how Identity Server works and I've managed to optimise the overall sign-on process and speed significantly as well as improve my overall implementation.

In summary - these are some of the changes I made:

Don't return

IdentityServerConstants.StandardScopes.Profile

Set

AlwaysIncludeUserClaimsInIdToken = false

and use

public async Task GetProfileDataAsync(ProfileDataRequestContext context)

to provide the claims you need (as well as not returning claims my client was not using)