Search code examples
c#identityserver4openid-connect.net-5pkce

Sign out from OIDC client not working with IdentityServer4

I'm currently working on a .NET 5 application using IdentityServer4.

I use the Authorization Code + PKCE flow to sign in - unfortunately the logout seems not to work correctly on localhost.

My application landscape looks like this:

  • App (WebApp)
  • IdentityServer4

My Client definition in IdentityServer4 looks like this:

// Authorization Code + PKCE Flow
new Client
{
    ClientId = "oidcClient",
    ClientName = "Example App",
    ClientSecrets = { new Secret("secret".Sha256()) },

    RedirectUris = { "https://localhost:44301/signin-oidc" },
    PostLogoutRedirectUris = { "https://localhost:44301/signout-callback-oidc" },

    AllowedGrantTypes = GrantTypes.Code,
    RequirePkce = true,
    RequireClientSecret = true,
    
    AllowedScopes = 
    {
        IdentityServerConstants.StandardScopes.OpenId,
        IdentityServerConstants.StandardScopes.Profile,
        IdentityServerConstants.StandardScopes.Email,
        IdentityServerConstants.StandardScopes.OfflineAccess,
        "roles",
    },

    AllowPlainTextPkce = false,
},

My OIDC connect on the client app looks like this:

services.AddAuthentication(options => 
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options => 
{
    options.Authority = "https://localhost:5001";
    options.RequireHttpsMetadata = true;
    options.ClientId = "oidcClient";
    options.ClientSecret = "secret";

    options.ResponseType = "code";
    options.UsePkce = true;
    options.ResponseMode = "query";

    options.Scope.Add("offline_access");
    options.Scope.Add("roles");
    
    options.SaveTokens = true;
});

The logout method in my WebApp HomeController looks like this:

public async Task<IActionResult> Logout()
{
    await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
    await HttpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme);

    return new SignOutResult(new[] { OpenIdConnectDefaults.AuthenticationScheme, CookieAuthenticationDefaults.AuthenticationScheme });
}

The IdentityServer4 Logs tell me on login => Login Success and on Logout => Logout Success.

This is strange - the application stays logged in all the time.

When I logout and return to the WebApp Home Index page I'm still logged in - although I should be logged out.

Do you know how to configure properly the logout in an IdentityServer4 OIDC application?

Do you know how to solve this issue?

Solution

  • The Logout method should never return anything. Because if you do, you override the redirect that the SignOut methods generate internally.

    A better way is to do this:

    public async Task DoLogout()
{
    await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
    await HttpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme);
}