Menu
I'm working on a project that has both a website and an app that use the same IdentityServer4 to authenticate users. On the website, when a user logs out, he gets a confirmation screen to ask whether he's sure he wants to log out.
The problem is that on the app, we can't show the logout prompt because, well, it's an app written in Xamarin and we can't redirect to the logout prompt page.
Is there a way to disable the logout prompt when the request comes from the app?
374
Or you can use the convenience extension method that is provided by IdentityServer: Typically you should prompt the user for signout (meaning require a POST), otherwise an attacker could hotlink to your logout page causing the user to be automatically logged out.
To signout the user from the server-side client applications via the back-channel spec the IBackChannelLogoutService service can be used. IdentityServer will automatically use this service when your logout page removes the user’s authentication cookie via a call to HttpContext.SignOutAsync .
This creates a cookie capturing all the current state needed for signout and the logoutId identifies that cookie. This is typically used when there is no current logoutId and the logout page must capture the current user’s state needed for sign-out prior to redirecting to an external identity provider for signout.
Full Server logout with IdentityServer4 and OpenID Connect Implicit Flow To use reference tokens in IdentityServer4, the client can be defined with the AccessTokenType property set to AccessTokenType.Reference.
I had the same problem and I solved it. This was first google response so I decided to put my answer here for others to see.
Solution: Inside IdentityServer4 Quick start project logic is already there and ready to configure it for user needs.
I hope this will help, good luck.
125
The end session endpoint supports skipping confirmation if you pass a valid id_token_hint in the request.
The relevant spec is here: http://openid.net/specs/openid-connect-session-1_0.html#RPLogout
If a valid id_token is passed (i.e. the one you got when you signed in) then the OP should skip confirmation, do the sign out and then allow the user to be redirected to the post logout redirect URL (if supplied).
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
