this is how the logout is done within the api:
[HttpPost]
[ValidateAntiForgeryToken]
public async Task Logout(LogoutRequest logoutContext)
{
if (User?.Identity.IsAuthenticated == true)
{
var prop = new AuthenticationProperties
{
RedirectUri = logoutContext.PostLogoutRedirectUri
};
await HttpContext.SignOutAsync(IdentityConstants.ApplicationScheme, prop);
await _events.RaiseAsync(new UserLogoutSuccessEvent(User.GetSubjectId(), User.GetDisplayName()));
}
}
in the client app I have the following configuration:
services.AddAuthentication(options =>
{
options.DefaultScheme = IdentityConstants.ApplicationScheme;
options.DefaultChallengeScheme = "oidc";
})
.AddCookie(IdentityConstants.ApplicationScheme, options => { options.AccessDeniedPath = "/Home/AccessDenied"; })
.AddOpenIdConnect("oidc", options =>
{
options.Authority = model.Authority;
options.ClientId = model.ClientId;
options.SignInScheme = IdentityConstants.ApplicationScheme;
options.ResponseType = "id_token token";
options.Scope.Add("openid profile");
});
services.AddAuthorization(options =>
{
options.AddPolicy("User", p => p.RequireAuthenticatedUser().RequireRole("User"));
});
when I log out the cookie is deleted, once I navigate back to the client I am not prompted to log back in and the cookie has returned. is there something I am doing wrong?
You aren't deleting the single sign on cookie generated in your Identity Provider. Your client is redirecting to your Identity Provider and redirecting again to your client with a new authentication since your Identity Provider still maintains the Cookie. Capture the requests in Fiddler to see the automatic redirections.
You should signout from oidc too in order to delete this Cookie:
await HttpContext.SignOutAsync("oidc");
If your want to signout automatically (without the Logout view from your Identity Provider) you can set false ShowLogoutPrompt and set true AutomaticRedirectAfterSignOut in the AccountOptions.cs file.