IdentityServer4 external logout doesn't remove Google sign-on cookie
I am having trouble logging out of my identityServer under Google login. I can login through Google (external) with no issues but the logout never worked. After clicking on "Logout" I always get a message says "you are now logged out". But when I try to log back in again, I always get right in after clicking on the Googol button. My Chrome's Dev Tool shows that a cookie associated with my Google login left in there regardless if I click on logout.
And if I clear the cookie via Chrome, I will be able to get to the Google login page.
In trying to delete the cookie in my program when logging out, I tried the following code from the AccountController's Logout function. I watched the code got executed in debug mode, but it doesn't make any difference - the cookie is still there after the code gets executed and I am still get right in.
Could anyone tell me what I am missing here? Or is it just impossible to delete cookie from code?
To do an upstream signout the IDP (Google) would have to support the RP-initiated logout spec:
https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
However Google's discovery endpoint (https://accounts.google.com/.well-known/openid-configuration) does not advertise an end_session_endpoint so from that we'd have to conclude that it is not supported by Google.
However you may be able to use prompt=login or max_age={number of seconds} in your authorization_endpoint endpoint request to force interactive authentication again. When you receive the id_token in the callback you can validate that the auth_time claim falls within whatever condition you decide. The end result is that you can insist that users interactively authenticate each time you do a round trip to Google. If auth_time is too far in the past you'd prevent the local session from being established.
- Protect the app from bypassing the root detection (Frida Server)
- Where to store the refresh token on the Client?
- Setting cookie from java spring boot rest API to angular
- Correct way to delete cookies server-side
- Browser ignoring Set-Cookie
- How to Properly Set Up Auth Middleware in Nuxt 3 with Node.js Backend?
- 3rd party cookies in Android 14/New Chrome using Angular/Firebase Auth/Hosting and NodeJs in Server
- How do I store a cookie recording if a user clicked a button, using JavaScript?
- Can using access token alone prevent CSRF attack, since browser prevents accessing cookies of another site?
- How does Double Submit Cookie Pattern Prevent against CSRF attacks?
- Curl cookie authentication
- Set-Cookies Header not setting the cookie
- Why CSRF token should be in meta tag and in cookie?
- I can't receive `httponly` cookie on `localhost` HTTPS back end
- How to get cookie value in expressjs
- Cookie with Max-Age = 0 and Expire = session survived after HTTP redirect?
- Sending custom cookies (and viewing the ones set naturally) with Perl's WWW::Mechanize
- Cookies headers are present but Cookies are not stored in browser
- Django HTTP response always sets `sessionid` cookie and session data do not persist
- How to delete a cookie in FastHTML?
- How to disable cookies in Django manually
- How to delete cookie with Django in Docker?
- Unable to set/get/delete cookies in Next.js 15 route handlers using the Cookies API?
- How to bypass SameSite cookie restriction in Microsoft Edge during local development (HTTP) so browser can accept cookie send from backend
- Set-cookie isn't working with React and Django
- (Safari Only) Axios request does not send cookies to Node.js/Express REST API
- React/Express set-cookie not working across different subdomains
- Blazor Custom AuthenticationStateProvider Not Setting Cookies or Authorizing Pages
- "Remember me" feature for login in TikiWiki site not working
- Set-Cookie in Server Action doesn't work with path /auth