I have IdentityServer4 running in Azure on an https url, and I'm using an Angular CLI project with the angular-oauth2-oidc library to handle the Implicit Flow. I'm trying to set up Single Sign Out, but it's not working correctly.
I'm calling logOut on the OAuthService which was auto-configured (via the Discovery Document) to use a logout url on the auth server, i.e. https://my-id4-server.example.com/connect/endsession with query string parameters containing a token_hint and a postLogoutUri.
For some reason, the actual behavior is that IdentityServer4 redirects (302) the browser to the url https://my-id4-server.example.com/account/logout?logoutid=..., for which the browser gets a 404. In addition, if I open the IdentityServer pages in a separate tab, I can see my session is still alive.
The expected behavior is that my session is ended, and that I get redirected back to my SPA.
On the ID4Server side I've configured:
RedirectUris and PostLogoutRedirectUris with http://localhost:4200 (where my SPA runs currently), amongst others;AllowedGrantTypes is set to ImplicitAllowedCorsOrigins also allows my localhost SPAIn addition I can see the endsession endpoint correctly configured in the .well-known configuration endpoint.
On the SPA side I've configured issuer, redirectUri, clientId, and scope. Logging in with a redirect back works just fine.
Bottom line: what is wrong if the endsession endpoint redirects to account/logout which in turn gives a 404?
The problem was that the Controller action for Logout(...) was missing on the IdentityServer side of things. If you don't have those but everything else is there, then you get said behavior.