IdentityServer4 logout

.net identityserver4 asp.net-authentication

12,091

There is no client attribute to control this.

When logging out the client application calls the IdentityServer4 End Session Endpoint.

The signout prompt can be bypassed when a client sends the original id_token. This is passed in as the id_token_hint parameter.

In addition, it indicates if the request for the sign-out has been authenticated, and therefore it's safe to no prompt the user for sign-out. per ref

ShowSignoutPrompt Indicates if the user should be prompted for signout based upon the parameters passed to the end session endpoint. Source PDF

NOTE: If you are using the JavaScript OIDC-Client-JS library, the 'signoutRedirect' method will internally check, see _signoutStart method line 354, for the id_token_hint argument or the users id_token. So if you are using this library to log a user off and want to force the logout screen you will have to clear the user.id_token.

Sample section from _signoutStart()

_signoutStart(args = {}, navigator, navigatorParams = {}) {
    ...
    var id_token = args.id_token_hint || user && user.id_token;
    if (id_token) {
        Log.debug("Setting id_token into signout request");
        args.id_token_hint = id_token;
    }
    ...
}

UPDATE:

If you are using IdentityServer4 version 2.x you can use the new class ClientProperty to store key-value pairs. In here you could create a key of "LogoffPromptRequired" and a value of "true" to be used in the client or IdentityServer implementation to determine if the Logg off screen is required.

12,091

Author by

JakeJ

Updated on August 18, 2022

Comments

JakeJ over 1 year
I am having an issue where I cannot seem to get my Identity Server logout to show the confirmation first. I downloaded the source code for IdentityServer4 from github and found the parameter in the Models folder: LogoutRequest.cs, ShowSignOutPrompt. There are no references to it in IdentityServer except to check it during the logout.

In debugging, I see that it is false. I don't know where this is supposed to get set, I've checked the options for the client config on both the server and client side, as well as the options on server startup.

I can find no instances of "ShowSignoutPrompt" in the client code (I'm using the IdentityServer3 Owin Hybrid client sample currently).

Here's the code flow: We have a button in our default layout which triggers the client's AccountController.Signout():
```
public void Signout()
{
    Request.GetOwinContext().Authentication.SignOut();
}
```
From there, I'm not exactly sure how, but the next point it hits is IdentityServer's AccountController.Logout(string logoutId). That method builds the logout prompt view (using checks in AccountServices.BuildLogoutViewModelAsync) and returns it to the user's browser. The only way it works properly to not set the ShowSignoutPrompt to false is if PostLogoutRedirectUri is set to "/signout-callback-oidc". I don't know why.

When the user clicks "yes" on the view generated above, it goes to IdSrvr's AccountController.Logout(LogoutInputModel model). I am trying to change the last line of that method from:
```
return View("LoggedOut", vm);
```
to:
```
return Redirect(vm.PostLogoutRedirectUri);
```
There's another problem here in that the PostRedirectUri is null here, even though I set it on the client config (well, for that matter, Identity Server's client config also has it).
JakeJ about 6 years

So if I want to force the logout prompt, I should modify the client to not send the id_token I guess.
aaronR about 6 years

what type of client do you have? C# API, Web client that has JavaScript?
JakeJ about 6 years

The original source for the client is from the IdentityServer samples, MVC Owin Hybrid. Had to use that in order to get a .NET standard project working with the .NET Core IdentityServer4. The client is from IdentityServer3 but still works with IdentityServer4.
aaronR about 6 years

Can you share the logout code from that client in your question details?
aaronR about 6 years

Are you saying let the user determine if the logoff prompt should be shown?
JakeJ about 6 years

I figured out how to get IdentityServer to take the PostLogoutRedirectUri, will provide an answer with relevant details and the traps/rabbit holes that result in getting a null on the server side. Thanks for the help everyone.
Narshe over 4 years

@aaronR Is there an option to also bypass the logout screen from identity server as well when using the oidc-client-js library? I'm coding a logout functionality to kick out users that are idle. I used createSignoutRequest(id_token_hint: user.id_token) and performed a GET request to this endpoint but it's not working.