Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Escape all usage of <iframe> tags #355

Merged
merged 1 commit into from
Oct 3, 2023
+4 −4
Merged

Escape all usage of <iframe> tags #355

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion IdentityServer/v6/docs/content/reference/services/interaction_service.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -170,7 +170,7 @@ The above methods return various models.

* ***SignOutIFrameUrl***

The URL to render in an *<iframe>* on the logged out page to enable single sign-out.
The URL to render in an *\<iframe>* on the logged out page to enable single sign-out.

* ***Parameters***

Expand Down
6 changes: 3 additions & 3 deletions IdentityServer/v6/docs/content/ui/logout/external_notification.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@ Federated sign-out is the situation where a user has used an external identity p
When the user signs out, it will be useful for IdentityServer to be notified so that it can sign the user out of IdentityServer and all of the applications that use IdentityServer.

Not all external identity providers support federated sign-out, but those that do will provide a mechanism to notify clients that the user has signed out.
This notification usually comes in the form of a request in an *<iframe>* from the external identity provider's "logged out" page.
IdentityServer must then notify all of its clients (as discussed [here]({{< ref "../logout" >}})), also typically in the form of a request in an *<iframe>* from within the external identity provider's *<iframe>*.
This notification usually comes in the form of a request in an *\<iframe>* from the external identity provider's "logged out" page.
IdentityServer must then notify all of its clients (as discussed [here]({{< ref "../logout" >}})), also typically in the form of a request in an *\<iframe>* from within the external identity provider's *\<iframe>*.

What makes federated sign-out a special case (when compared to a normal [logout]({{< ref "../logout" >}})) is that the federated sign-out request is not to the normal sign-out endpoint in IdentityServer.
In fact, each external IdentityProvider will have a different endpoint into your IdentityServer host.
Expand All @@ -19,7 +19,7 @@ which means we are missing the sign-out notifications to IdentityServer's client
We must add code for each of these federated sign-out endpoints to render the necessary notifications to achieve federated sign-out.

Fortunately IdentityServer already contains this code.
When requests come into IdentityServer and invoke the handlers for external authentication providers, IdentityServer detects if these are federated signout requests and if they are it will automatically render the same *<iframe>* as [described here for logout]({{< ref "../logout" >}}).
When requests come into IdentityServer and invoke the handlers for external authentication providers, IdentityServer detects if these are federated signout requests and if they are it will automatically render the same *\<iframe>* as [described here for logout]({{< ref "../logout" >}}).


In short, federated signout is automatically supported.
Loading