Early Preview
This is currently very much a preview. Please feel free to try things out,
but don't be upset if anything is not yet working. Feedback is welcome over on our
GitHub Dicussions page.
class Duende.IdentityServer.Validation.EndSessionRequestValidator
Assembly: Duende.IdentityServer
Inheritance: object → EndSessionRequestValidator
Implemented Interfaces
Validates requests to the end session endpoint.
Fields and Constants
protected readonly
Microsoft.Extensions.Logging.ILogger
Logger
The logger.
protected readonly
Configuration.IdentityServerOptions
Options
The IdentityServer options.
protected readonly
ITokenValidator
TokenValidator
The token validator.
protected readonly
IRedirectUriValidator
UriValidator
The URI validator.
protected readonly
Services.IUserSession
UserSession
The user session service.
protected readonly
Stores.IMessageStore<Models.LogoutNotificationContext>
EndSessionMessageStore
The end session message store.
Properties
LogoutNotificationService
The logout notification service.
protected
Saml.ISamlLogoutNotificationService
SamlLogoutNotificationService
The SAML logout notification service.
protected
Saml.ISamlLogoutSessionStore
SamlLogoutSessionStore
The SAML logout session store.
protected
System.TimeProvider
TimeProvider
The time provider.
Methods
ValidateAsync(System.Collections.Specialized.NameValueCollection parameters,
System.Security.Claims.ClaimsPrincipal subject,
System.Threading.CancellationToken ct)
protected
EndSessionValidationResult
Invalid(string message,
ValidatedEndSessionRequest request = null)
Creates a result that indicates an error.
ValidateIdTokenHintAsync(EndSessionHintValidationContext context,
System.Threading.CancellationToken ct)
Validates the id_token_hint's claims (sub/sid) against the current user session.
Override this method to customize how the id_token_hint is matched to the session.
Returns An <see cref="T:Duende.IdentityServer.Validation.EndSessionHintValidationResult" /> indicating whether the hint is valid,
invalid, or requires user confirmation.
context
The context containing the current authenticated user, the token validation result
(with all token claims), and the current session ID.
ct
The cancellation token.
Remarks
The default implementation uses a sid-first strategy: if a <c>sid</c> claim is present
in the token and the current session has a session ID, the two are compared. If no <c>sid</c>
is present, or the current session has no session ID, the <c>sub</c> claim is compared
against the authenticated user's subject ID as a fallback.
If neither claim is present, the hint is treated as valid.
<para>
<b>Security note</b>: Returning <see cref="M:Duende.IdentityServer.Validation.EndSessionHintValidationResult.Valid" /> unconditionally
(i.e., accepting any id_token_hint regardless of sub/sid match) creates a cross-user logout
vector. An attacker holding any valid id_token_hint can silently log out other users when the
signout prompt is suppressed. Ensure custom overrides apply appropriate validation logic.
</para>
ValidateCallbackAsync(System.Collections.Specialized.NameValueCollection parameters,
System.Threading.CancellationToken ct)
public
bool
Equals(object obj)
Inherited from object
protected
void
Finalize()
Inherited from object
public
int
GetHashCode()
Inherited from object
protected
object
MemberwiseClone()
Inherited from object
public
string
ToString()
Inherited from object