question

RonaldRex-2335 avatar image
0 Votes"
RonaldRex-2335 asked ZhiLv-MSFT answered

Identity Framework

Whats the best practice for logging out if you are using Basic Authentication? I read this...What you have to do is have the user click a logout link, and send a ‘401 Unauthorized’ in response, using the same realm and at the same URL folder level as the normal 401 you send requesting a login. But I was needing some clarity about how to code this if someone could help. Thanks !!!

dotnet-aspnet-generaldotnet-aspnet-core-webapi
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Your question is a little confusing. There's nothing to log out in Basic Authentication.

Identity typically uses cookie authentication in a browser based application and a token in code client. Basic authentication is a standard HTTP authentication scheme usually configured on the host web server. It can be implemented in code as well but work the same.

Basic Authentication sends base64 encoded user credentials in the HTTP Authorization header. In a browser based application, the browser caches the credentials until the user closes the browser. In a code based client the client code must add the base64 encoded credentials to the HTTP request.

Can you share code that illustrates how your security is designed?

0 Votes 0 ·
Bruce-SqlWork avatar image
0 Votes"
Bruce-SqlWork answered AgaveJoe edited

What is your goal. You can force the browser to ask credentials again by responding with a 401 to a request with credentials. You need to be careful or you will get in a loop.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank You !!! I just want to log the user out when they click on logout as opposed to them having to close the browser session to log them out. What will the code look like to get a 401 response? Or do I just code a controller to send back that response when user clicks on logout? Thanks !!!

0 Votes 0 ·
AgaveJoe avatar image AgaveJoe RonaldRex-2335 ·

Basic authentication works at the host level not application and the login comes from the browser not the web application. Returning a 401 causes the browser to prompt the user. The user will get stuck in an infinite prompt loop if the user enters their "good" credentials. You're approach is a browser hack and confusing to the user.

If a logout button or link is a requirement then use cookie authentication rather than Basic authentication because you can expire a cookie and control the login process. The Identity framework mentioned in your title uses a cookie...

0 Votes 0 ·
ZhiLv-MSFT avatar image
0 Votes"
ZhiLv-MSFT answered

Hi @RonaldRex-2335,

In Asp.net core application, if you are using the Asp.net Core Identity, you can use Scaffold Identity to generate the Logout page.

After that you can find the Logout view page from the "Areas/Identity/Account/" folder. Then, in the _LoginPartial.cshtml partial view, you can add the following code:

 @using Microsoft.AspNetCore.Identity
 @using CustomIndetitySample.Data
    
 @inject SignInManager<ApplicationUser> SignInManager
 @inject UserManager<ApplicationUser> UserManager
    
 <ul class="navbar-nav">
 @if (SignInManager.IsSignedIn(User))
 {
     <li class="nav-item">
         <a  class="nav-link text-dark" asp-area="Identity" asp-page="/Account/Manage/Index" title="Manage">Hello @User.Identity.Name!</a>
     </li>
     <li class="nav-item">
         <form  class="form-inline" asp-area="Identity" asp-page="/Account/Logout" asp-route-returnUrl="@Url.Action("Index", "Home", new { area = "" })">
             <button  type="submit" class="nav-link btn btn-link text-dark">Logout</button>
         </form>
     </li>
 }
 else
 {
     <li class="nav-item">
         <a class="nav-link text-dark" asp-area="Identity" asp-page="/Account/Register">Register</a>
     </li>
     <li class="nav-item">
         <a class="nav-link text-dark" asp-area="Identity" asp-page="/Account/Login">Login</a>
     </li>
 }
 </ul>

After user click the Logout link, it will redirect to the Logout action method with the returnUrl: "/Home"

In the Logout.cshtml.cs file, it will use the _signInManager.SignOutAsync() method to logout, and then redirects to the Home Index page (which is public).

     public async Task<IActionResult> OnPost(string returnUrl = null)
     {
         await _signInManager.SignOutAsync();
         _logger.LogInformation("User logged out.");
         if (returnUrl != null)
         {
             return LocalRedirect(returnUrl);
         }
         else
         {
             return RedirectToPage();
         }
     }

If you set the redirect url to a protected page, it will redirect to the login page.

More detail information, you can check the official document and the sample.


If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Best regards,
Dillion

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.