IdentityServer3 Token Not Getting Deleted on Logout

Question

I am using IdentityServer3 and have implemented a custom grant flow for backwards compatibility with an existing SSO implementation. I am using reference tokens for API authentication. I have implemented ITokenHandleStore and also IUserService.

I am able to log in successfully and access my application. The issue is that after I logout, the reference token is still valid.

Upon logout I call HttpContext.Current.GetOwinContext().Authentication.SignOut(); I also make a call to /connect/endsession?id_token_hint=mYrEfErEnCeToKeN and pass the reference token for the user on the query string parameter.

However, neither the SignOutAsync method in IUserService nor the RemoveAsync method in ITokenHandleStore ever gets called. Because of this, the token remains in my Token Database table and gets treated like a valid token on subsequent requests even after the user has been logged out.

What is the proper way of logging out a user when doing a Custom Grant flow? How do I get the record deleted out of my database token store?

When I call the endsession endpoint the logging from IdentityServer displays this:

Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:07:14.835 -04:00 [Information] End access token validation request Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:09:22.289 -04:00 [Information] Start end session request Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:09:22.349 -04:00 [Information] Start end session request validation Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:09:22.412 -04:00 [Information] Start identity token validation Sam.Web.MicroServices.IdentityService.vshost.exe Error: 0 : 2016-07-13 04:09:22.581 -04:00 [Error] Malformed JWT token System.ArgumentException: IDX10709: 'jwtEncodedString' is not well formed: '7dc2417fb752d096af2870c46ca8a181'. The string needs to be in compact JSON format, which is of the form: '..'. at System.IdentityModel.Tokens.JwtSecurityToken..ctor(String jwtEncodedString) in c:\\workspace\\WilsonForDotNet45Release\\src\\System.IdentityModel.To kens.Jwt\\JwtSecurityToken.cs:line 68 at IdentityServer3.Core.Validation.TokenValidator.GetClientIdFromJwt(String token) in c:\\local\\identity\\server3\\Core\\source\\Core\\Validation\\TokenVa lidator.cs:line 347 Sam.Web.MicroServices.IdentityService.vshost.exe Error: 0 : 2016-07-13 04:09:22.648 -04:00 [Error] No clientId supplied, can't find id in identity tok en. Sam.Web.MicroServices.IdentityService.vshost.exe Error: 0 : 2016-07-13 04:09:22.701 -04:00 [Error] "Error validating id token hint." "{
\\"SubjectId\\": \\"unknown\\", \\"Raw\\": { \\"id_token_hint\\": \\"7dc2417fb752d096af2870c46ca8a181\\" } }" Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:09:22.753 -04:00 [Information] Redirecting to logout page Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:09:22.872 -04:00 [Information] Logout endpoint submitted Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:09:22.944 -04:00 [Information] Clearing cookies Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:09:23.013 -04:00 [Information] rendering logged out page

When I make a call to the /revocation endpoint the IdentityServer logs displays this:

Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:11:14.822 -04:00 [Information] CORS request made for path: "/connect/r evocation" from origin: "chrome-extension://fhbjgbiflinjbdggehcddcbncdddomop" Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:11:14.864 -04:00 [Information] AllowedOrigins configured and origin "c hrome-extension://fhbjgbiflinjbdggehcddcbncdddomop" is not allowed Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:11:14.906 -04:00 [Information] Exiting; origin "chrome-extension://fhb jgbiflinjbdggehcddcbncdddomop" is not allowed Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:11:14.941 -04:00 [Information] CorsPolicyService did not allow origin Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:11:15.005 -04:00 [Information] Start token revocation request 2016-07-13 04:11:15.063 -04:00 [Debug] Start client validation 2016-07-13 04:11:15.064 -04:00 [Debug] Start parsing for X.509 certificate 2016-07-13 04:11:15.065 -04:00 [Debug] client_id is not found in post body 2016-07-13 04:11:15.066 -04:00 [Debug] Start parsing for secret in post body 2016-07-13 04:11:15.067 -04:00 [Debug] No secret in post body found 2016-07-13 04:11:15.068 -04:00 [Debug] Start parsing Basic Authentication secret Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:11:15.069 -04:00 [Information] Parser found no secret Sam.Web.MicroServices.IdentityService.vshost.exe Informati on: 0 : 2016-07-13 04:11:15.124 -04:00 [Information] No client secret found Sam.Web.MicroServices.IdentityService.vshost.exe Information: 0 : 2016-07-13 04:11:15.175 -04:00 [Information] Returning error: invalid_client

Answer 1

The reason you are receiving an error on logout is because you are passing back an access token in the id_token_hint parameter. This parameter requires the identity token that was issued to you upon log in (assuming you are using OpenID Connect).

If you are only using OAuth, then the endsession endpoint is not for you. Instead to revoke the access token you need to use the revocation endpoint . This will then delete the token from your database.

The error you are receiving from the revocation endpoint seems to be related to a different issue (looks like you aren't supplying a client id and secret).