Can't get IdentityServer4 logout to work for external (Google) authentication
I am working through IdentityServer4 quickstart and trying to get the external (Google) authentication to work. I am able to login through Google but after that login, even if I click Logout, I always automatically get in in the following times.
Here is the logout logic from AccountController.cs
/// <summary>
/// Handle logout page postback
/// </summary>
[HttpPost]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Logout(LogoutInputModel model)
{
// build a model so the logged out page knows what to display
var vm = await BuildLoggedOutViewModelAsync(model.LogoutId);
if (User?.Identity.IsAuthenticated == true)
{
// delete local authentication cookie
await _signInManager.SignOutAsync();
// raise the logout event
await _events.RaiseAsync(new UserLogoutSuccessEvent(User.GetSubjectId(), User.GetDisplayName()));
}
// check if we need to trigger sign-out at an upstream identity provider
if (vm.TriggerExternalSignout)
{
// build a return URL so the upstream provider will redirect back
// to us after the user has logged out. this allows us to then
// complete our single sign-out processing.
string url = Url.Action("Logout", new { logoutId = vm.LogoutId });
// this triggers a redirect to the external provider for sign-out
return SignOut(new AuthenticationProperties { RedirectUri = url }, vm.ExternalAuthenticationScheme);
}
return View("LoggedOut", vm);
}
My internal authentication login and logout works just fine by the way. Could someone tell me what I might be missing here?
Update-1
Further debugging shows that the value of vm.TriggerExternalSignout in Logout function is always false when logging out. The variable TriggerExternalSignout only appears twice in source code in the entire solution. The first one is in Logout above and the other is in LoggedOutViewModel.cs as shown below:
The immediate reason why TriggerExternalSignout is false is because the value of the property ExternalAuthenticationScheme is always null. The only place the ExternalAuthenticationScheme get set is in AccountController's BuildLoggedOutViewModelAsync function (see screenshot below), which never seems to be invoked (break point never get hit) during login and logout.
And that's because the value of providerSupportsSignout is false. This makes some sense since Google doesn't support signout, but what should I do to make my logout work?
Update-2
I added the logout logic, as nahidf suggested in his answer, in the BuildLoggedOutViewModelAsync function as the following:
Unfortunately, the logout still doesn't seem to work - I got to the page that says I am logged out after clicking logout from a Google login, but I still get right in by clicking on Google login button when I try to start a new session.
What am I doing wrong here?
- Check if
TriggerExternalSignoutistruein your case, if not should investigate why is that - If
TriggerExternalSignoutis already true, try
// delete local authentication cookie
await HttpContext.SignOutAsync();
// Clear the existing external cookie to ensure a clean login process
wait HttpContext.SignOutAsync(IdentityConstants.ApplicationScheme);
// Clear the existing external cookie to ensure a clean login process
await HttpContext.SignOutAsync(IdentityConstants.ExternalScheme);
When we logout from IdentityServer4, it just log user out from our application. It will NOT log the user out of their Google account. Google doesn't support third party logout.
Edit: For google case TriggerExternalSignout is false as google doesnt support external logout. Ref in code
- ASP Identity Core GeneratePasswordResetTokenAsync expired
- IdentityServer4 in IIS being recycled due to app_offline.htm when using discovery endpoint sometimes
- Identityserver from duende behind caddy has http in the openid config
- How to send email id when calling identity server 4 to login
- IdentityServer token issuer claim missing port number in issued JWT token
- Identity Server 4 - Unable to authenticate user
- How to find out to use best flow in IdentityServer?
- Identityserver 4 in docker compose The remote certificate is invalid according to the validation procedure
- Deploying .net Core 3 linux container on azure web app container with IdentityServer4 certification/http error
- Login to multiple Apps with IdentityServer4
- duende identity server 6.2 session managment
- Any luck in using AddMicrosoftIdentityWebApp in combination with IdentityServer4?
- .net core 3.1 Google SSO Callback url not hit
- What are stored in PersistedGrant table for IdentityServer
- .NET 8 upgrade: OIDC correlation failure with IdentityServer4 on HTTP when using machine name instead of localhost
- Login with Microsoft External Account -Issue when the user cancels the consent prompt during authentication
- Error in configuring identity server. The cookie '.AspNetCore.Identity.Application' has set 'SameSite=None' and must also set 'Secure'
- In Identity Server 4, I have a User's identity but 0 Claims
- Is there a way to connect/disconnect external OpenId providers IdentityServer 4 "on the fly"
- Clarification on Identityserver 4 protecting API scopes with ApiResources
- Exchanging azure AD token with Identity server token
- IdentityServer4 and SSO
- Invalid_client using OpenIdConnect in client application
- "Key vault reference error" in azure web app configuration setting
- why offline_access scope is needed to request refresh token in IdentityServer (OAuth2)?
- Identity Server 4 ASP.NET Quickstart 'refused connection'
- Bearer token not set as expected
- Setting up JWT authentication using the Identity Server and get access token
- ApiResource vs ApiScope vs IdentityResource
- C# .Net Core API Authorized route with Identity Server 4