I have a question about performing a logout from the app and ADFS and returning the user back to the application (RP).
I've setup Windows Server 2016 with ADFS 4.0 and enabled OpenID Connect authentication for users in the local AD.
The authentication (login) using OpenId Connect works (the authorization code flow as well as implicit flow) works. Sign-out (logout) works as well. The problem is that after the signout, the user is left on the ADFS signout page and not redirected back to the RP, even though the RP provides the URL in the post_logout_redirect_uri variable. An example a URL is this:
https://win-910etfa6g5q.mydomain.local/adfs/oauth2/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A58196%2Fsignout-callback-oidc&state=state-here&x-client-SKU=ID_NET&x-client-ver=2.1.4.0
I am referring to the documentation in this repo: https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-fs/development/ad-fs-logout-openid-connect.md
The browser should be redirected to the post_logout_redirect_uri after logout on the ADFS
The browser stays on the signout page on the ADFS (https://win-910etfa6g5q.mydomain.local/adfs/oauth2/logout?etc...)
I'm using ASP.NET Core MVC application with Microsoft.AspNetCore.Authentication.OpenIdConnect package to integrate with it. I tried both the Implicit flow and Authorization code flow.
I figured that the logout url should be set for this application and couldn't find it in the UI, so I've set it using PowerShell: Get-AdfsServerApplication | Set-AdfsServerApplication -LogoutUri http://localhost:58196/signout-callback-oidc and verified with Get-AdfsServerApplication:
ADUserPrincipalName :
ClientSecret : ********
JWTSigningCertificateRevocationCheck : None
JWTSigningKeys : {}
JWKSUri :
Name : TestAppGroup - Server application
Identifier : 1e0ae584-52d9-45e3-a3d9-b3216a0a26bc
ApplicationGroupIdentifier : TestAppGroup
Description :
Enabled : True
RedirectUri : {http://localhost:58196/signin-oidc}
LogoutUri : http://localhost:58196/signout-callback-oidc
The ADFS is still not redirecting to the specified logout URI and I'm wondering if I understood the documentation incorrectly. Perhaps the documentation is referring to the fact that ADFS is supposed to "call" all applications that the user signed into on the following URLs? But that is not happening either.
I am performing tests from a dev machine (localhost) and connecting to ADFS win-910etfa6g5q.mydomain.local (different machine). I am using self-signed certificates, FWIW.
Additionally, I found this error in event log:
The specified redirect URL did not match any of the OAuth client's redirect URIs. The logout was successful but the client will not be redirected.
URL: http://localhost:58196/signout-callback-oidc
even though the "Server application" is configured with this URL:

I've added this URL to the redirect urls as well:
> Get-AdfsServerApplication
[snip]
RedirectUri : {http://localhost:58196/signin-oidc,
http://localhost:58196/signout-callback-oidc}
LogoutUri : http://localhost:58196/signout-callback-oidc
Just found out that the error is misleading. There is no issue with the logout URI property, but rather that the id_token_hint is missing from the logout request.
In order to implement this, one has to store the id_token issued, so it can be provided to the logout endpoint. I found out that if you're using ASP.NET OpenIdConnect package to implement the flows, you can set the SaveTokens option to true, and the library will persist the id_token as part of the claims which are sent to the client (the cookie holding the claims just got bigger :().
I'm not entirely sure why the id_token_hint is a MUST (since it is "only" RECOMMENDED in the spec).
I believe the error message in the event log should reflect the actual reason for redirect rejection.
Any thoughts?
Closing due to inactivity. Please reopen to pursue further. Thanks!
Most helpful comment
Just found out that the error is misleading. There is no issue with the logout URI property, but rather that the
id_token_hintis missing from the logout request.In order to implement this, one has to store the
id_tokenissued, so it can be provided to the logout endpoint. I found out that if you're using ASP.NET OpenIdConnect package to implement the flows, you can set theSaveTokensoption to true, and the library will persist theid_tokenas part of the claims which are sent to the client (the cookie holding the claims just got bigger :().I'm not entirely sure why the
id_token_hintis a MUST (since it is "only" RECOMMENDED in the spec).I believe the error message in the event log should reflect the actual reason for redirect rejection.
Any thoughts?