Why does the end user have to log out twice?

7
votes

I am trying to get IdentityServer4 working inside a new .NET Core 2.1 app (it works perfectly inside a .NET Core 2.0 app). I have tried the following:

1) Download this project, which is the IdentityServer4 application: https://github.com/ghstahl/IdentityServer4-Asp.Net-2.1-Identity-Examples/tree/e0aeeff7e078aa082c8e16029dd2c220acc77d7b

2) Download this project, which is the MVC application using the Identity Server4 application: https://github.com/IdentityServer/IdentityServer4.Samples/tree/dev/Quickstarts/6_AspNetIdentity/src/MvcClient.

3) Add the two projects to the same solution. The MVC project uses the IdentityServer project for authentication; authorisation etc.

I had to make the following changes:

1) Change to the Startup contained in the IdentityServer app (AddIdentityServer now accepts an argument):

services.AddIdentityServer(options =>
{
    options.UserInteraction.LoginUrl = "/Identity/Account/Login";
    options.UserInteraction.LogoutUrl = "/Identity/Account/Logout";
})

2) Configure the IdentityServer app to listen on port 5000 and disable SSL on the identity server.

Everything works as expected out of the box, except the logout facility. When I click log out in the MVC application; the following code is called inside the MVC app:

public async Task Logout() 
{ 
    await HttpContext.SignOutAsync("Cookies"); 
    await HttpContext.SignOutAsync("oidc"); 
}

The user is then redirected to Logout.cshtml in the IdentityServer app. However, they have to click log out again (on the IdentityServer app) in order to actually log out i.e. they click log out in the MVC app (point two), then log out in IdentityServer (point one).

Why does the end user have to log out twice?

3
c#asp.net-coreidentityserver4asp.net-core-identity
Have not used it, but there is an overload of SignOutAsync that does not require the schema parameter. - Cleptus
@bradbury9, could you elaborate? All the SignOutAsync constructors in that link accept at least one argument. Thanks. - w0051977
Sure, they are extension methods so its first argument is the HttpContext object. I refer to this overload That could be called either System.Threading.Tasks.Task.SignOutAsync(HttpContext); o HttpContext.SignOutAsync(); The 1st one calls directly the static method and the 2nd one uses the extension method directly. - Cleptus
In this scenario, you are logged in twice: Once in the MVC app and once in the IS4 app itself. When you hit Logout in your MVC app, you logout of the MVC app but are still logged in with IS4. This is kinda like signing into an app using Google - you're signed in to Google itself and the app that uses Google. When you signed out of said app that uses Google, you don't also sign out of Google itself. - Kirk Larkin
As a general hint: Open your browser’s dev tools and look at the network tab. There you can see where the browser is actually going to, so you could easily see when it redirects back to the identity server for example. You can also see the HTTP response headers there, so you can inspect when cookies are set or cleared. – That’s usually very useful when debugging authentication flow related problems. - poke

3 Answers

4
votes

In the Account/Logout page, which lives under Areas/Identity/Account/Logout.cshtml.cs in your scaffolded ASP.NET Core Identity code, there is an OnGet handler that looks like this:

public void OnGet() { }

Because this is using ASP.NET Core Razor Pages, all this does is render the corresponding Logout.cshtml page. In your example, when you hit Logout in the MVC app, it clears its own cookies and then passes you over to the IS4 app (the OnGet, specifically). Because this OnGet handler is empty, it's not really doing anything and it's certainly not signing you out of the IS4 app.

If you look at the OnPost handler inside of Logout.cshtml.cs, you'll see it looks something like this:

public async Task<IActionResult> OnPost(string returnUrl = null)
{
    await _signInManager.SignOutAsync();
    // ...
}

This call to SignOutAsync does exactly what it suggests: it signs you out of IS4 itself. However, in your current workflow, this OnPost handler is not being called. The OnGet handler is called indirectly when you use Logout in the MVC app, as I've already mentioned.

Now, if you look at the controller/action implementation of IS4 logout in the Quickstart.UI project, you'll see that essentially it passes the GET request over to the POST request. Here's the code, with comments stripped out:

[HttpGet]
public async Task<IActionResult> Logout(string logoutId)
{
    var vm = await BuildLogoutViewModelAsync(logoutId);

    if (vm.ShowLogoutPrompt == false)
        return await Logout(vm);

    return View(vm);
}

When logging out, there's a setting that controls whether or not the user should first be prompted to confirm whether or not they want to log out. That's mostly what this code is taking care of - it passes it straight over to the POST request handler if the prompt is not required. Here's a snippet of the code for the POST:

[HttpPost]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Logout(LogoutInputModel model)
{
    var vm = await BuildLoggedOutViewModelAsync(model.LogoutId);

    if (User?.Identity.IsAuthenticated == true)
    {
        await HttpContext.SignOutAsync();

        // ...
    }

    // ...

    return View("LoggedOut", vm);
}

The important line here is the call to HttpContext.SignOutAsync - this ends up removing the cookie that IS4 is using to keep you signed in. Once this has been removed, you're signed out of IS4. Ultimately, this is what is missing from your current implementation.

At the simplest level, you can fix your issue by updating your OnGet to look like this:

public async Task<IActionResult> OnGet()
{
    if (User?.Identity.IsAuthenticated == true)
    {
        await _signInManager.SignOutAsync();          
        return RedirectToPage(); // A redirect ensures that the cookies has gone.
    }

    return Page();
}

This doesn't support the ShowLogoutPrompt option I've detailed above, simply just to keep this answer a little bit shorter. Apart from that, it's just using _signInManager to do the logout given that you're in the ASP.NET Core Identity world.

I encourage you to explore the full source-code from the Quickstart.UI implementation in order to support ShowLogoutPrompt, returnUrl, etc - I can't possibly do that here without writing a book.

2
votes

Simple logout functionalty is possible like following:

        private readonly SignInManager<IdentityUser> _signInManager;
        private readonly ILogger<LogoutModel> _logger;
        private readonly IIdentityServerInteractionService _interaction;
        public LogoutModel(SignInManager<IdentityUser> signInManager, ILogger<LogoutModel> logger,
            IIdentityServerInteractionService interaction)
        {
            _signInManager = signInManager;
            _logger = logger;
            _interaction = interaction;
        }

        public async Task<IActionResult> OnGet(string logoutId)
        {
            return await OnPost(logoutId);
        }

        public async Task<IActionResult> OnPost(string logoutId)
        {
            await _signInManager.SignOutAsync();
            _logger.LogInformation("User logged out.");
            var r = await _interaction.GetLogoutContextAsync(logoutId);
            if (r.PostLogoutRedirectUri == null)
            {
                return Redirect("/");
            }
            return Redirect(r.PostLogoutRedirectUri);
        }
0
votes

I had the same problem and I solved it for me and decided to put my answer here for others to see.

Solution: Inside IdentityServer4 Quick start project logic is already there and ready to configure it for user needs.

  1. Open SolutionName/Quickstart/Account/AccountOptions.cs
  2. Set ShowLogoutPrompt to false
  3. Set AutomaticRedirectAfterSignOut to true

Example

I hope this will help, good luck.