Search code examples
asp.net-core.net-coreoauth-2.0openid-connectauth0

Single sign-out in ASP.NET Core OpenID Connect

I have a number of applications that authenticate users through single sign-on (SSO) with Auth0. One of these is an ASP.NET Core MVC application, which uses the ASP.NET Core OpenID Connect (OIDC) middleware. The single sign-on works fine. For single sign-out from the current app, I'm calling Auth0's /v2/logout endpoint from the OnRedirectToIdentityProviderForSignOut event, per Auth0's quickstart example. However, I don't know how to configure the app to clear the local session when there is an SSO session sign-out from another app. Auth0 mentions:

Redirecting users to the logout endpoint does not cover the scenario where users need to be signed out of all of the applications they used. If you need to provide this functionality you will have to handle this in one of two ways:

  • Have short timeouts on your local session and redirect to Auth0 at short intervals to re-authenticate. This can be done by calling checkSession from the client which does this redirect in a hidden iFrame. If you take the hidden iFrame approach you need to be aware of rate limits and third-party cookie issues.

  • Handle this entirely at the application level by providing your applications a way to notify all other applications when a logout occurs.

I get the impression that the checkSession suggestion is intended for SPAs. How does the ASP.NET Core OpenID Connect middleware handle such SSO session sign-outs? Does it automatically re-authenticate with the authentication server at regular intervals? If so, how can this frequency be configured?

Solution

  • The AddOpenIDConnect middleware module have a dedicated URL that it listens on and that the external provider can call after it has signed out the user.

    The URL is defined in the source here and looks like this:

    SignedOutCallbackPath = new PathString("/signout-callback-oidc");
RemoteSignOutPath = new PathString("/signout-oidc");


/// <summary>
/// The request path within the application's base path where the user agent will be returned after sign out from the identity provider.
/// See post_logout_redirect_uri from http://openid.net/specs/openid-connect-session-1_0.html#RedirectionAfterLogout.
/// </summary>
public PathString SignedOutCallbackPath { get; set; }

/// <summary>
/// Requests received on this path will cause the handler to invoke SignOut using the SignOutScheme.
/// </summary>
public PathString RemoteSignOutPath { get; set; }

    So you could try to configure Auth0 to call the RemoteSignOutPath then that could perhaps work for you. However if you many many clients, then you need to have a different strategy. Perhaps use shorter access-token lifetime?