I'm trying to get information about the client who initiated logout (like ClientId and display name).
But I can't get it from the request.
Here's is the LogOut action in the client application:
[Route("/logout")]
[HttpGet]
public IActionResult LogOut()
{
return SignOut(new AuthenticationProperties
{
RedirectUri = "/status"
}, CookieAuthenticationDefaults.AuthenticationScheme, OpenIdConnectDefaults.AuthenticationScheme);
}
From the HTTP request retrieved at the logout endpoint in OpenIddict server, the ClientId is null:
HttpContext.GetOpenIddictServerRequest().ClientId; // Null
but these parameters are sent: post_logout_redirect_uri, id_token_hint, state with the request.
Is there a way to include the ClientId with the logout request? In the specs (https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout) it's optional, so maybe it can be enabled/disabled somewhere?
My recommendation is to use the OpenIddict client, that implements the latest draft of the RP-initiated logout specification and will send the client_id parameter for you. You can see it in action here: https://github.com/openiddict/openiddict-samples/tree/dev/samples/Velusia/Velusia.Client
Alternatively, if you prefer using the MSFT OIDC handler, you can use its event model - and more specifically the OpenIdConnectEvents.OnRedirectToIdentityProviderForSignOut event - to override the URL the user is redirected to when triggering a sign-out.