Identityserver4: Logout doesn't work

If you're using ASP.NET Identity, then you need to use the SignInManager to manage your cookies (including at logout time).

Thank you

See sample code here: https://github.com/IdentityServer/IdentityServer4.Templates/blob/dev/src/IdentityServer4AspNetIdentity/Quickstart/Account/AccountController.cs#L176

Just in case anyone else runs into this -- I implemented some complex scenarios to wipe out the cookie in core 2.2 version of asp where changes in authentication setup are breaking DefaultUserSession and complaining about attempts to use HttpContext for signout. After recreating what the code was doing and eliminating the cookie, I STILL had the user going straight into the app. I have been leaving hooking up the back end authentication to my (very complex) user store and multiple back-end authentication protocols until the end... so in the meantime I have been using the test store. The IProfileService implementation I left skeletonized to provide this in the future was doing nothing in the

 public async Task IsActiveAsync(IsActiveContext context)
{
  await Task.CompletedTask;
}

handler. By changing context.isActive to false, the user then does have to log-in. I figure if identityserver4 doesn't do it, I'll wipe out the redis/mongo/whatever token storage so that they won't be active any more. So, if anyone else is out there wasting time trying to make logout work more securely while using basic test users in a stubbed out IProfileService... you might be wasting time the same way I was.

Also, in case anyone is having issues with latest core complaining about / failing to use the HttpContext.SignOutAsync stuff, I added a UseWhen scenario in my app builder to recreate what identityserver4 does. The string constants are copies of internal constants. I wouldn't use this code long term, but if you need to get something going for a late version of core before the next identityserver4 update, you can try this. My logout return page is index.html which redirects back to my app. I put this UseWhen right after UseHttpsRedirection before other Use statements. This STILL won't keep user from being completed authentication on navigating back to the app unless you change the IsActiveContext isActive property as I mentioned above... whether that is intended or a result of the major core reworking interfering with things, I don't know.

  // '/index.html' is that Path when my logout redirect happens -- it must match yours
  app.UseWhen(context => (context.Request.Path == "/index.html"),
    thenApp => thenApp.Use(async (context, next) =>
    {
      string cookieName;

      // copying same mechanisms used internally in identity server 4 to wipe out cookie
      cookieName = IdentityServerConstants.DefaultCheckSessionCookieName;
      if (context.Request.Cookies.ContainsKey(cookieName))
      {
        CookieOptions cookieOptions;

        cookieOptions = new CookieOptions
        {
          HttpOnly = false,
          Secure = context.Request.IsHttps,
          Path = context.Request.PathBase,
          IsEssential = true,
          SameSite = SameSiteMode.None
        };
        cookieOptions.Expires = DateTime.UtcNow.AddYears(-1);
        context.Response.Cookies.Append(cookieName,
          ".",
          cookieOptions);
      }
      // this is a constant they use to let federated content dependent items know that you have signed out.
      context.Items["idsvr:IdentityServerSignOutCalled"] = "true";
      await next();
    }));

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.