Is there a way to force the Katana authentication manager to call the Logout endpoint from IdentityServer3 with a HttpPost instead of a HttpGet method?
I currently use this method to call the endsession endpoint from IdentityServer3 (according to this tutorial):
public ActionResult Logout()
{
// standard way with HTTP GET
Request.GetOwinContext().Authentication.SignOut();
return Redirect("/");
}
I need this, because the URL would have more than 2000 chars and this will lead to some errors.
Thx for help
Sadly the OWIN middleware is not supporting HttpPost sign-out actions. As a workaround, you can manually post the necessary parameter to the end session endpoint
I provide a link in my MVC5 application, so that a user is able to logout:
@{
Claim idTokenHintClaim = Request.GetOwinContext().Authentication.User.FindFirst("id_token");
string idTokenHint = idTokenHintClaim != null
? idTokenHintClaim.Value
: null;
}
<form action="https://.../core/endsession" method="POST" id="logoutForm">
<input type="hidden" name="id_token_hint" value="@idTokenHint"/>
<input type="hidden" name="post_logout_redirect_uri" value="@PostLogoutRedirectUrl"/>
</form>
<a href="javascript:document.getElementById('logoutForm').submit()">
Logout
</a>
The IdentityServer3 is doing its job and destroys the current user session. After that IdentityServer3 is calling our @PostLogoutRedirectUrl. The @PostLogoutRedirectUrl is pointing to an controller method of the MVC application:
public ActionResult LogoutCallback()
{
HttpCookie cookie = new HttpCookie("SecureCookieName");
cookie.HttpOnly = true;
cookie.Expires = new DateTime(1999, 10, 12);
Response.Cookies.Remove("SecureCookieName");
Response.Cookies.Add(cookie);
SetPasswordResetHint();
return RedirectToAction("Index");
}
I hope the support for HttpPost methods will be added in the OWIN middleware soon.