OpenIDConnect AspNetCore Logout using id_token

Question

Main issue is that I could not find a proper way to logout from identityServer4.

Detailed explanation:

Client side Web application startup.cs contains the following code

app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationScheme = "Cookies",
            AutomaticAuthenticate = true
        });
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
        {
            AuthenticationScheme = "oidc",
            SignInScheme = "Cookies",
            Authority = "http://localhost:1941/",//local identityServer4
            ClientId = "testsoft",
            ClientSecret = "secret",
            ResponseType = "code id_token token",
            GetClaimsFromUserInfoEndpoint = true,
            RequireHttpsMetadata = false,
            Scope = { "openid", "profile", "email" },
            TokenValidationParameters = new TokenValidationParameters()
            {
                NameClaimType = "name",
                RoleClaimType = "role"
            },
            AutomaticAuthenticate = false,
           AutomaticChallenge = true
    });

IdentityServer4 running locally has the client added as below

 new Client
            {
                ClientId = "testsoft",
                ClientName = "testsoft",
                ClientSecrets = new List<Secret>
                {
                    new Secret("secret".Sha256())
                },
                ClientUri = "http://localhost:55383/",//clientside web application url
                AllowedGrantTypes = GrantTypes.Hybrid,
                AllowAccessTokensViaBrowser = true,
                RedirectUris = new List<string>
                {
                    "http://localhost:55383/signin-oidc"
                },
                RequireConsent = false,
                AllowedScopes = new List<string>
                {
                    StandardScopes.OpenId.Name,
                    StandardScopes.Profile.Name,
                    StandardScopes.Email.Name,
                    StandardScopes.Roles.Name,
                    StandardScopes.OfflineAccess.Name,

                    "api1", "api2",
                },
            },

I was able to login and display the claims on a Controller-View in MVC like this

 [Authorize]
    public IActionResult About()
    {
        return View((User as ClaimsPrincipal).Claims);
    }

And the view displayed was like this. Note that there is no id_token

And I was able to logout using cookie as given below

 public async Task<IActionResult> LogOut()
    {

        await HttpContext.Authentication.SignOutAsync("Cookies");
        return Redirect("~/");
    }

But the problem is I cannot find a way to logout from IdentityServer. The closer I came was to use /connect/endsession?id_token_hint=...&post_logout_redirect_uri=https://myapp.com

But I could not find a way to get raw id_token in code. In the About() method given above I am only getting the claims (which I think is the decrypted contents of id_token) and in those claims list there is no id_token to be seen. But somehow managed to get the id_token from fiddler at this url http://localhost:55383/signin-oidc and then the logout at identityServer triggered(with the help of the url given above).

I have the following questions:

1. How to get id_token in code? (instead of manual copy from fiddler)
2. Is there a better way to logout? Or is there an AspnetCore/Oidc framework method to logout (which in turn call the correct server api with correct parameters) ?
3. I was able to logout and login several times but the id_token was seen the same on fiddler. eg: Bob user, Alice user both had the same id_token. Cookie was cleared and each time different user was displayed on the view still the id_token was same. shouldn't the id_token be different for each login/user?
4. Signout url worked even when I gave a random string as id_token. Does this mean that IdentityServer4 logout functionality do not work based on id_token?

Answer 1

For logging out, did you try-

HttpContext.Authentication.SignOutAsync("oidc");

in your client's Logout Action?