diff --git a/Webzine.WebApplication/Controllers/AccountController.cs b/Webzine.WebApplication/Controllers/AccountController.cs index ef3f4fe..10fb868 100644 --- a/Webzine.WebApplication/Controllers/AccountController.cs +++ b/Webzine.WebApplication/Controllers/AccountController.cs @@ -26,7 +26,8 @@ { RedirectUri = "/", }, - CookieAuthenticationDefaults.AuthenticationScheme); + CookieAuthenticationDefaults.AuthenticationScheme, + OpenIdConnectDefaults.AuthenticationScheme); } [HttpGet("/account/access-denied")] diff --git a/Webzine.WebApplication/Program.cs b/Webzine.WebApplication/Program.cs index 999fe72..e3b2c8a 100644 --- a/Webzine.WebApplication/Program.cs +++ b/Webzine.WebApplication/Program.cs @@ -260,6 +260,12 @@ try OnRedirectToIdentityProviderForSignOut = context => { + var idToken = context.HttpContext.User.FindFirst("id_token")?.Value; + if (!string.IsNullOrWhiteSpace(idToken)) + { + context.ProtocolMessage.IdTokenHint = idToken; + } + if (!string.IsNullOrWhiteSpace(publicOrigin)) { context.ProtocolMessage.PostLogoutRedirectUri = publicOrigin + context.Options.SignedOutCallbackPath; @@ -273,6 +279,12 @@ try var identity = (ClaimsIdentity)context.Principal!.Identity!; var clientId = context.Options.ClientId; + if (context.SecurityToken is JwtSecurityToken idToken && + !string.IsNullOrWhiteSpace(idToken.RawData)) + { + identity.AddClaim(new Claim("id_token", idToken.RawData)); + } + AddKeycloakRolesFromClaims(identity, context.Principal, clientId); AddKeycloakRolesFromAccessToken(identity, context.TokenEndpointResponse?.AccessToken, clientId);