I'm working through building a prototype of an IdentityServer4-based process where I have an Angular SPA, a "Back-end for Front-end" (BFF) ASP.NET Core API, and a back-end API service (also ASP.NET Core) all interacting with a derivative of the https://demo.identityserver.io/ IdP.
My BFF and back-end API services are based on the samples found at "https://github.com/leastprivilege/AspNetCoreSecuritySamples/tree/aspnetcore3/BFF"
Everything is going pretty well until I try to create the scenario where the user chooses to logout from the IdP Logout page. The BFF service does not 'notice' the user's token and session has been revoked/removed until the tokens expire much later.
I suspect I should be using the process found in the sample https://github.com/IdentityServer/IdentityServer4/tree/main/samples/Clients/src/MvcHybridBackChannel where a cookie event handler in the BFF service implements ValidatePrincipal(CookieValidatePrincipalContext context) to make an explicit call to the IdP to verify the user's token on each request.
First question: is this the correct pattern to accomplish this? Or am I making this needlessly complex?
Second question: what is the method to ask the IdP "Is this session still valid?" (This seems like something that should be easy to do!)
Thank you in advance.
First question: is this the correct pattern to accomplish this? Or am I making this needlessly complex?
Yes it it correct, when you logout directly from IDP you need to inform the client apps that user has signed out. If you are using cookie on the BFF you need to do the same for it. Read more here
Second question: what is the method to ask the IdP "Is this session still valid?" (This seems like something that should be easy to do!)
Idp is not validating the session or cookie, it validates the token. session/cookie management is the responsibility of client apps. Read more here