Identity Server 4 : Proper logout from MVC Client

Question

I'm in trouble with the Logout feature in IdentityServer 4. My IS4 application is mainly the result of the tutorial on their Website, so their is not really custom behavior. I use ASP.net Core Identity as well. I have a MVC Client (again, basically the project template). I just added a "Logout" button at the top of the Index page, in order to log the current authenticated user out.

This is the Logout method in my MVC Client :

public async Task Logout()
{
    await HttpContext.SignOutAsync("Cookies");
    await HttpContext.SignOutAsync("oidc");
}

So exactly what the tutorial says.

This is the configuration in Startup.cs of MVC Client :

services.AddAuthentication(options =>
{
    options.DefaultScheme = "Cookies";
    options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies")
.AddOpenIdConnect("oidc", options =>
{
    options.SignInScheme = "Cookies";

    options.Authority = "http://localhost:5000";
    options.RequireHttpsMetadata = false;
    options.CallbackPath = new PathString("/Home/");

    options.ClientId = "Core.WebUI";
    options.ClientSecret = "secret";
    options.ResponseType = "code id_token";

    options.SaveTokens = true;
    options.GetClaimsFromUserInfoEndpoint = true;

    options.Scope.Add("offline_access");                    
});

Nothing fancy... Now the MVC Client configuration in the IS4 app :

new Client
{
    ClientId = "Core.WebUI",
    ClientName = "MVC Client",
    ClientSecrets = new List<Secret>
    {
        new Secret("secret".Sha256())
    },
    AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
    RequireConsent = false,

    // where to redirect to after login
    RedirectUris = { "http://localhost:5011/Home/" },

    // where to redirect to after logout
    PostLogoutRedirectUris = { "http://localhost:5011/Home/" },
    AlwaysSendClientClaims = true,
    AlwaysIncludeUserClaimsInIdToken = true,
    AllowedScopes =
    {
        IdentityServerConstants.StandardScopes.OpenId,
        IdentityServerConstants.StandardScopes.Profile
    },
    AllowOfflineAccess = true
}

Again, mostly what the tutorial says. My problem is : When an user is connected, and then I click on the logout button, I'm redirected, to the IS4 app, in the logout page, saying that I'm now logged off. But actually, I'm not, because if I go back to my MVC, I still can access to the protected features (with the Authorize attribute). In order to correctly log my user out, once I'm in the logout page of my D4 app, I have to click on the logout button of the IS4 app... And only then I'm correctly logged out...

What I want is that when I click the Logout button on my MVC Client, I'd be REALLY logged out, and directly redirected to the home page of my MVC Client (without the "You are now logged out" page)

I'm pretty new to IS4 ans ADP.NET so any help is more than welcome... Thanks !

Answer 1

Here's how I solved this:

    public IActionResult LogOff()
    {
        return new SignOutResult(new[] { "oidc", "Cookies" });
    }

Answer 2

It's better to not use the magic string but:

  return new SignOutResult(new[]
            {
                CookieAuthenticationDefaults.AuthenticationScheme, 
                OpenIdConnectDefaults.AuthenticationScheme
            });