Single Signout/Logout for Duende Identity Server v6
Refer Duende Identity Server Documentation
Signing out of IdentityServer is as simple as removing the authentication cookie, but for doing a complete sign-out, consider signing the user out of the client applications.
The logout page is responsible for terminating the user’s authentication session. This is a potentially complicated process and involves these steps:
- Ending the session by removing the authentication session cookie in your IdentityServer.
- Possibly triggering sign-out in an external provider if an external login was used.
- Notify all client applications that the user has signed out.
- If the logout is client initiated, redirect the user back to the client.
Ending the Session
Removing the Authentication Cookie: To remove the authentication cookie, simply use the ASP.NET Core SignOutAsync extension method on the HttpContext. You will need to pass the scheme used.
await HttpContext.SignOutAsync(IdentityServerConstants.DefaultCookieAuthenticationScheme);Or you can use the overload that will simply sign-out of the default authentication scheme:
await HttpContext.SignOutAsync();Client Notifications
As part of the logout process you will want to ensure client applications are informed that the user has signed out. This is done by sending a notification to and endpoint provided by the each client application. Depending on your architecture, there are three supported techniques to call these endpoints:
- front-channel notifications via the browser
- back-channel notifications via server-side call
- a PostMessage-based notification for JavaScript clients
Duende IdentityServer keeps track of the client applications involved with the current user session and provides helpers and automated ways of invoking the notification mechanisms.
IdentityServer supports the front-channel specification for server-side clients (e.g. MVC), the back-channel specification for server-side clients (e.g. MVC), and the session management specification for browser-based JavaScript clients (e.g. SPA, React, Angular, etc.).
Front-channel server-side clients
Clients that wish to be notified must have the FrontChannelLogoutUri configuration value set. IdentityServer tracks which clients the user has signed into, and provides an API called GetLogoutContextAsync on the IIdentityServerInteractionService. This API returns a LogoutRequest object with a SignOutIFrameUrl property that your logged out page must render into an <iframe>.
Set the dbo.Clients => FrontChannelLogoutUri to Call back method of MVC client application
Example:
dbo.Clients.FrontChannelLogoutUri = “https://mvc.com/Account/FrontChannelCallBack”
In MVC controller, add code method “FrontChannelCallBack” to handle logout logic:
Browser-based JavaScript clients
The clients (Angular), though, must perform monitoring on the check_session_iframe, and this is implemented by spec compliant client libraries, e.g. the oidc-client JavaScript library.
That’s all for this article.
Happy Coding!!
https://linkedin.com/in/ghanshyam-shukla-52b42070
References
