From b4342b1604260591ff0b508a1efb393989bb5fbb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Chalet?= Date: Tue, 7 Jun 2016 00:20:35 +0200 Subject: [PATCH] Replace magic strings by the new constants introduced in IdentityModel --- .../OpenIdConnectHandler.cs | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectHandler.cs b/src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectHandler.cs index 4189ee262c..6488d10d72 100644 --- a/src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectHandler.cs +++ b/src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectHandler.cs @@ -112,17 +112,19 @@ namespace Microsoft.AspNetCore.Authentication.OpenIdConnect // If the identifier cannot be found, bypass the session identifier checks: this may indicate that the // authentication cookie was already cleared, that the session identifier was lost because of a lossy // external/application cookie conversion or that the identity provider doesn't support sessions. - var sid = (await Context.Authentication.AuthenticateAsync(Options.SignOutScheme))?.FindFirst("sid")?.Value; + var sid = (await Context.Authentication.AuthenticateAsync(Options.SignOutScheme)) + ?.FindFirst(JwtRegisteredClaimNames.Sid) + ?.Value; if (!string.IsNullOrEmpty(sid)) { // Ensure a 'sid' parameter was sent by the identity provider. - if (string.IsNullOrEmpty(message.GetParameter("sid"))) + if (string.IsNullOrEmpty(message.Sid)) { Logger.RemoteSignOutSessionIdMissing(); return true; } // Ensure the 'sid' parameter corresponds to the 'sid' stored in the authentication ticket. - if (!string.Equals(sid, message.GetParameter("sid"), StringComparison.Ordinal)) + if (!string.Equals(sid, message.Sid, StringComparison.Ordinal)) { Logger.RemoteSignOutSessionIdInvalid(); return true;