Identityserver4: Issue with logout with ASP.Net Identity
I followed the tutorial https://identityserver4.readthedocs.io/en/release/quickstarts/6_aspnet_identity.html by using an MVC client. This client has an Authorize attribute on the About action and the Home Controller has a logout action
public async Task Logout()
{
await HttpContext.Authentication.SignOutAsync("Cookies");
await HttpContext.Authentication.SignOutAsync("oidc");
}
But I did not include the quickstart UI and consent is set to false. When I Login and then click on the logout button in the MVC client , I can nevertheless access the About Controller which displays my claims. The difference with respect to the template provided here seems to be in the inclusion of the quickstart UI https://github.com/IdentityServer/IdentityServer4.Samples/tree/dev/Quickstarts/6_AspNetIdentity , which makes the code above insufficient to log me out completely. I thought from the docs that the Logout code above would log me out from the IS4Host and the MVC client as well. The behavior is confirmed by refreshing IS4Host url on port 5000 after logout from the client: it would keep me logged in with "Hello [email protected]!". Is that by design or am I missing something?
Ponant
All 10 comments
Is that by design or am I missing something?
Yes, you need the rest of the sample code. The QS only focuses on one area at a time, otherwise there's be too much information overload needed to explain everything.
brockallen
on 10 May 2017
Great, then what does this code do??
await HttpContext.Authentication.SignOutAsync("Cookies");
await HttpContext.Authentication.SignOutAsync("oidc");
Is it possible to understand how in code IS4Host is aware of the Logout process that took place on the MVC client? It is not obvious because the Logout on the MVC client returns a Task so it is not clear how we get a redirect to http://localhost:5000/account/logout?logoutId=xxx.
Ponant
on 10 May 2017
Do the docs not help?
http://docs.identityserver.io/en/release/topics/signout.html
brockallen
on 25 May 2017
I asked the question because this part of the docs was not clear (and still isn't). Cheers
Ponant
on 30 May 2017
I asked the question because this part of the docs was not clear (and still isn't). Cheers
Feel free to submit a PR to the docs to clarify what you feel is unclear.
brockallen
on 30 May 2017
I am not sure a PR would help as I cannot commit or propose changes to the docs as this is a question. Anyway, I will find a solution sooner or later.
Ponant
on 4 Jun 2017
Docs are not clear abt this process Brock.. Can u please explain her the flow of logout from javascript library
oidc-client - as it is making call to account/logout(logoutID)
but AspnetIdentity AccountControll does not contain this method
asharda1
on 19 Oct 2018
Docs are not clear abt this process Brock.. Can u please explain her the flow of logout from javascript library
The specs are what you should be reading to understand how things are supposed to work.
brockallen
on 19 Oct 2018
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
![lock[bot] picture](https://avatars1.githubusercontent.com/in/6672?v=4&s=40)
lock[bot]
on 12 Jan 2020
Related issues
brockallen
路
3Comments
osmankibar
路
3Comments
nukec
路
3Comments
cixonline
路
3Comments
garymacpherson
路
3Comments
Most helpful comment
I asked the question because this part of the docs was not clear (and still isn't). Cheers