Signing out and bypassing logout confirmation

I am using the example from Github to do Authentication.

As documented in the example, setting “options.SaveTokens = true”, should bypass logout confirmation. But when doing a

 await HttpContext.SignOutAsync("signicat", new AuthenticationProperties()
                RedirectUri = "/",

It shows the logout confirmation screen. What am I doing wrong?

Hi Joel!

This is likely due to missing or incorrect post-logout redirect URI. Have you added https://localhost:5001/signout-callback to your client in the dashboard?

Here is what it should look like for the sample application to work properly:

Hope this helps!

I have this in my code:

options.CallbackPath = new PathString("/redirect");
options.SignedOutCallbackPath = new PathString("/signout-oidc");

And this is how it is configured:

But I get the logout confirmationscreen, and I do not get redirected after hitting logout either.

And when inspecting the OIDC-context, there is no id_token_hint that could be used. If there was, I presume I could GET endsession with id_token_hint as param? Or Identity Portal… ?

Or should I in that case use id_token? And If I have setup the client to return claims without fetching it manually against the userinfo endpoint, would that be a problem to pass that id_token? Could it be to big?

The ID token should automatically be passed as id_token_hint to the /endsession endpoint when the SaveTokens flag is enabled. Do you see this parameter if you inspect the network traffic when signing out?

It’s indeed possible that the ID token is too big when it includes all the claims. You could try to disable this option in the dashboard, and then use options.GetClaimsFromUserInfoEndpoint = true; to have your app fetch claims from the userinfo endpoint instead.

This is what I get:

first logout-request:

and second logout-request:

I cannot see id_token_hint.

It seems that I can build an own link that I redirect to when browsing to logout action on controller. I do an redirect to /endsession and passes constructed query-params.

var id_token_hint = await context.GetTokenAsync("signicat", "id_token");

var logoutUri = $"{redirect}&id_token_hint={id_token_hint}&state=";

I will do some more testing, but it seems it works. But I do not understand why I need to do this manually and that it cannot figure it out on its own :slight_smile:

Do you have any idea why this is not working automatically?

Unfortunately not. This is all handled by the Microsoft authentication framework, so it should “just work”.

You could also try something like this:

options.Events.OnRedirectToIdentityProviderForSignOut = async ctx =>
    ctx.ProtocolMessage.IdTokenHint = await ctx.HttpContext.GetTokenAsync("id_token");

Well ye. It is really weird :confused:

I cannot get the id_token from the HttpContext on the OnRedirectToIdentityProviderForSignOut-event. I do not feel too happy about it: but I could always store the id_token as a Claim.

Hey @ChristofferS :slight_smile:
Seems that the order in which I was adding services did matter :see_no_evil:
After adding it last in the sequences of my services.Add…, it is now working automatically as expected. Both with signing out without confirmation-button and also with post-signout-redirect. :tada:

Awesome, great to hear that it’s working :grin:

1 Like