Best IT Recipes

Logging Out Using AspNet.Security.OpenIdConnect.Server (ASP.NET vNext)

I am using Visual Studio 2015 Enterprise and ASP.NET vNext Beta8 to issue and use JWT tokens, as described here .

In our implementation, we save some client details in Redis when the token is issued, and we would like this information to be hidden when the user logs out.

My question is, what are the best methods to log out of OIDC?

While I could roll out my own controller for this purpose, I couldn't help but notice that Open ID Connect (OIDC) seems somewhat primed to handle this case. For example, OIDC has an OnLogoutEndpoint and LogoutEndpointPath handler. But when I call the OIDC logout URI, which the handler seems to take any random form x-www-form-urlencoded that I throw into it and in no way require a token.

Any recommendations regarding good OIDC logout practices would be greatly appreciated.

+2
jwt openid-connect
Nov 24 '15 at 15:07
source share
1 answer

In AspNet.Security.OpenIdConnect.Server logic used for the exit endpoint remains as an exercise.

In this sample, it is implemented using the MVC 6 controller, where of course you can add custom logic to remove cached data from the Redis server.

 [HttpPost("~/connect/logout")] [ValidateAntiForgeryToken] public async Task<IActionResult> Logout() { // When invoked, the logout endpoint might receive an unauthenticated request if the server cookie has expired. // When the client application sends an id_token_hint parameter, the corresponding identity can be retrieved using AuthenticateAsync. var identity = await HttpContext.Authentication.AuthenticateAsync(OpenIdConnectServerDefaults.AuthenticationScheme); // Remove the cached details here. If you need to determine // who the authenticated user, you can use the identity variable. // Remove the authentication cookie and return the user to the client application. return SignOut("ServerCookie", OpenIdConnectServerDefaults.AuthenticationScheme); }

You can also do something similar directly from the LogoutEndpoint event. Remember to call context.HandleResponse() to make sure the request is not intercepted by other middleware.

+1
Dec 02 '15 at 1:26
source share


More articles:


All Articles