2

I am using Visual Studio 2015 Enterprise and ASP.NET vNext Beta8 to issue and consume JWT tokens as described here.

In our implementation we're storing some client details in Redis at token issuing time and we would like the flush this information when the user logs out.

My question is what is the best practices for logging out with OIDC?

While I could roll my own contoller for this purpose I couldn't help but notice Open ID Connect (OIDC) seems somewhat primed to handle this case. For example OIDC has an OnLogoutEndpoint handler and LogoutEndpointPath settings. But when I call the OIDC logout URI that handler appears to accept any random x-www-form-urlencoded form I throw at it and doesn't in any particular way seem to be demanding the presence of a token.

Any advice on proper OIDC logout practices would be very much appreciated.

Improve this question

1 Answer 1

Reset to default
1

In AspNet.Security.OpenIdConnect.Server, the logic used for the logout endpoint is left as an exercise.

In this sample, it is implemented using an MVC 6 controller, where you're - of course - free to add custom logic to remove cached details from your Redis server.

[HttpPost("~/connect/logout")]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Logout() {
    // When invoked, the logout endpoint might receive an unauthenticated request if the server cookie has expired.
    // When the client application sends an id_token_hint parameter, the corresponding identity can be retrieved using AuthenticateAsync.
    var identity = await HttpContext.Authentication.AuthenticateAsync(OpenIdConnectServerDefaults.AuthenticationScheme);

    // Remove the cached details here. If you need to determine
    // who's the authenticated user, you can use the identity variable.

    // Remove the authentication cookie and return the user to the client application.
    return SignOut("ServerCookie", OpenIdConnectServerDefaults.AuthenticationScheme);
}

You can also do something similar directly from the LogoutEndpoint event. Don't forget to call context.HandleResponse() to make sure the request is not intercepted by another middleware.

Improve this answer
Sign up to request clarification or add additional context in comments.

11 Comments

thanks - just out of curiosity if I use the LogoutEndpoint event why is that endpoint event expecting a form, or more to the point, what is expected to be in that form?
Using a POST request/form is not mandatory, you can also use a single GET request. I used a form here because I wanted to add anti-XSRF support to the logout endpoint, to prevent unwanted logout (the "superlogout" syndrome). Alternatively, you can also use id_token_hint for that: github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/…
(FYI: starting with the next beta, we'll stop using JWT access tokens by default and go back to opaque tokens. See github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/… for more information)
Ok, given that we're calling app.UseJwtBearerAuthentication will our OIDC implementation function as-is or will we need to turn some additional knobs to keep it working with JWT tokens?
When migrating to beta5, your app will stop working if you don't fix it. Enabling JWT tokens will only require a line of code in the configuration delegate. That said, migrating to our new validation/introspection middleware will be the recommended approach.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.