使用 Azure 的 ACS 时如何注销 Facebook?
Facebook 开发者政策第 6 条规则规定我必须提供明确的注销链接,但我'我无法让它发挥作用。
我的目标是要么让我的应用程序退出 Facebook,要么让用户退出整个 Facebook 体验环境,或者同时退出这两者。到目前为止,这些我都做不到。
由于我使用的是 Azure ACS 并且没有使用典型的 FB API,这可能会变得复杂。我尝试过的事情包括:
"http://www.facebook.com/logout.php?api_key={0}&;session_key={1}";
// I don't know how to get the session key. I attempted the values stored in
// the claim "http://www.facebook.com/claims/AccessToken" but no luck
尝试 2:ACS 注销(未记录?)
https://tlsadmin.accesscontrol.windows.net/v2/wsfederation?wa=wsignoutcleanup1.0
这两种方法都不允许备用 Facebook 用户登录。任何链接将不胜感激。
简化问题
如何让 *.accesscontrol.windows.net 重定向回我的网站?
Rule #6 of the Facebook developer policy says I must provide an explicit Log out link, but I'm unable to make it work.
My goal is to either sign my application out of Facebook, the user from the entire Facebook experience environment, or both. So far, I can't do any of these.
This may be complicated by the fact I'm using Azure ACS and am not using the typical FB APIs. Things I've tried include:
Attempt 1: Facebook OAuth Logout
"http://www.facebook.com/logout.php?api_key={0}&;session_key={1}";
// I don't know how to get the session key. I attempted the values stored in
// the claim "http://www.facebook.com/claims/AccessToken" but no luck
Attempt 2: ACS logout (undocumented?)
https://tlsadmin.accesscontrol.windows.net/v2/wsfederation?wa=wsignoutcleanup1.0
Neither of these approaches allow an alternate Facebook user to sign in. Any links would be appreciated.
Simplified Question
How do I get *.accescontrol.windows.net to redirect back to my website?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
2012 年 12 月的 ACS 更新包括对联合单点登录的支持:
来自代码示例:具有联合注销功能的 ASP.NET MVC 4 ,实现如下所示的操作以从 ACS 注销:(
请注意,Windows Identity Foundation 现已合并到 .NET 4.5 Framework 中,这就是下面的新命名空间的原因)
The December 2012 update of ACS includes support for federated single sign-out:
From the Code Sample: ASP.NET MVC 4 with Federated Sign-out, implement an Action like the following to sign out from ACS:
(Note that Windows Identity Foundation is now incorporated into .NET 4.5 Framework, that's why the new namespaces below)
正如这篇文章所建议的:Azure AppFabric 访问控制服务注销,您可以创建自定义注销按钮,只需在单击按钮时调用 ederatedAuthentication.WSFederationAuthenticationModule.SignOut 方法即可。然后 ACS 应该为您处理注销过程。
As this post suggests: Azure AppFabric Access Control Service Log Off, you can create a custom log out button, and simply call the ederatedAuthentication.WSFederationAuthenticationModule.SignOut method on the click of the button. ACS then should handle the log out process for you.
一般来说,联合注销需要两到三个步骤 - 在本地,您需要删除表单身份验证 cookie(如果使用了 form auth cookie)以及 FIM cookie,这将从本地应用程序注销。
然后,您需要向所使用的 STS 发出 wasignoutcleanup10 请求,这将使您从 STS 本身注销,并且理论上,应该向该过程中涉及的所有其他 IP( STS 应该跟踪每个请求联系了哪些 IP)
我曾经使用 Windows Identity Foundation 构建了这样的场景,它具有所需的组件,但它确实需要一些开发来跟踪所有 IP 并发出来电。
我怀疑 ACS 目前不支持此行为,这意味着用户必须关闭浏览器才能从所有应用程序完全注销。
Generally speaking there are two or three steps to federated sign out - locally you need to remove the forms auth cookie if one was used as well as the FIM cookie, this will sign out from the local application.
You then need to issue wasignoutcleanup10 request to the STS used, which would sign you out from the STS itself and, in theory, shoud issue a wasignoutcleanup1.0 request (or equivalent) to all the other IPs that were involved in the process (the STS should keep track of which IPs were contacted for each request)
I built such scenario once using Windows Identity Foundation which has the components needed, but it did require some development to keep track of the all the IPs and issue the calls.
I suspect that the ACS currently does not support this behaviour meaning that a user will have to close the browser to fully sign-out from all the applications.