AspCore Client Global Signout with IdentityServer

Question

in a non core asp mvc application I had a controller action for signout the user globaly

it looked like this

   public ActionResult Logout()
    {
        Request.GetOwinContext().Authentication.SignOut();
        return Redirect("/");
    }

now I have a asp core client and want a logout I tried

 public async Task<ActionResult> LogOut()
        {
            if (User.Identity.IsAuthenticated)
            {
                await HttpContext.Authentication.SignOutAsync("Cookies");
            }
            return Redirect("/");
        }

Update

Now it seems like I get logout, but I'm redirect to a site which requires auth. I can see that i'm shortly redirected to identity server back again, which automatically sings me again in.

Summarized: I get logged out in my asp application but not at the identity server.

How can I globally signout ? So that I need to resign in at the identity server?

Answer 1

If you use OpenIdConnect authentication, you also need to remote signout. Try to change your code something like below:

    public async Task<ActionResult> LogOut()
    {
        if (User.Identity.IsAuthenticated)
        {
            await HttpContext.Authentication.SignOutAsync("Cookies");
            await context.Authentication.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme, new AuthenticationProperties()
            {
                 RedirectUri = "<signed out url>"
            });

            // if you use different scheme name for openid authentication, use below code
            //await context.Authentication.SignOutAsync(<your openid scheme>, new AuthenticationProperties()
            //{
            //   RedirectUri = "/signedout"
            //});
        }
        return Redirect("/");
    }

See original sample https://github.com/aspnet/Security/blob/dev/samples/OpenIdConnectSample/Startup.cs

Answer 2

I've came across the same issue and to solve it I had to clear the Response cookies myself in my IdentityServer application.

var cookies = HttpContext.Request.Cookies.Keys;
foreach (var cookie in cookies)
{
    HttpContext.Response.Cookies.Delete(cookie, new CookieOptions
    {
        Domain = "localhost" // Your host name here
    });
}

// SignOutAsync depends on IdentityServer4 > Microsoft.AspNetCore.Http.Authentication
await HttpContext.Authentication.SignOutAsync();

What I did was, when I client wants to sign-out, I redirect it to my IdentityServer app which clear the Response Cookies as above.

In this code I'm deleting all the Cookies for localhost, however you can add a filter there and delete only cookies that IdentityServer makes use of to persist the user authentication.

Below you'll find more details on this implementation.

http://benjii.me/2016/04/single-sign-out-logout-identity-server-4/