Search code examples
c#asp.net-mvc-5owin

How to Logout of Owin Providers?

I am following this tutorial yet it does not tell you how to logout. I tried to do 

Request.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ExternalCookie);

Request.GetOwinContext().Authentication.SignOut()

          Request.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie);

You can get the sample code here: https://github.com/AndersAbel/SocialLoginWithoutIdentity

Just need to add one more action

public ActionResult SignOut()
 {
       Request.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ExternalCookie);
       return RedirectToAction("Index", "Home");
 }

This method plus any one of the 3 lines of I posted above

My result right now is, I login, I go to secure page and can see it, I then proceed to my signout and then after signout try to go back to the secure page and I am allowed back to that secure page.

So it actually did not really sign me out.

Solution

  • As mentioned in the tutorial, the middleWare used use the default authentication type but don't override it.

    By using only externalCookie as parameter for Owin you are clearing the cookie for Asp, but not the one used to store the Google provider,

    to do so, you will have to get the array of all current cookies. It can be done the easy way like this:

    Request.GetOwinContext()
       .Authentication
       .SignOut(HttpContext.GetOwinContext()
                           .Authentication.GetAuthenticationTypes()
                           .Select(o => o.AuthenticationType).ToArray());

    This is where it is said on the Tutorial:

    The call to UseGoogleAuthentication should be quite obvious why it’s needed.

    But the first one toSetDefaultSignInAsAuthenticationType is not as obvious. login middleware normally relies on the external cookie middleware registered before the social login middleware. external cookie middleware, it sets itself as the default signin type. That’s how the social login middleware knows that it should use the external cookie. In this setup there is no external cookie, so we have to manually set the main cookie middleware as the default signin type. The cookie middleware will only issue a cookie if the AuthenticationType matches the one in the identity created by the social login middleware.Looking at the owin external authentication pipeline a socialIn the setup of the