Where can I find a code sample for OpenId Connect sign out for c#?

Question

Security is one of those things that once you set it up, you kinda forget about it, until something doesn't work. I have a.Net Core application that uses OpenId Connect with Azure. The sign in works fine, but we noticed a few days ago that the signout wasn't working. You could sign out of the application, but then login again directly without entering credentials. So, I have been looking around and found out that it's not good enough to clear the cookies and session, you need to go to the "end_session_endpoint" to actually clear the credentials. I have looked in a number of places, but I can't find a simple code example of how to to this. And the code examples I have tried don't seem to work. When I run locally, I can logout and it says it logged me out, but when I start the application again, I am logged in automatically right away. I understand the concept, I just don't know how to do it. Below is what my authentication looks like in the Startup.cs file:

services.AddAuthentication(options =>
            {

            })
            .AddCookie()
            .AddOpenIdConnect(options =>
            {
                options.Authority = Configuration["Authentication:Microsoft:OAuth"];
                options.RequireHttpsMetadata = true;
                options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
                options.UsePkce = false;
                options.Scope.Clear();
                options.Scope.Add("openid");
                options.Scope.Add("email");
                options.SaveTokens = true;
                options.CallbackPath = new PathString(Configuration["Authentication:Microsoft:Callback"]);
                options.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateIssuer = false,                      
                };

                // MetadataAddress represents the Active Directory instance used to authenticate users.
                options.MetadataAddress = Configuration["Authentication:Microsoft:Meta"];

                options.ClientId = Configuration["Authentication:Microsoft:ApplicationId"];
                options.ClientSecret = Configuration["Authentication:Microsoft:Password"];

            });

Does anyone have a straight forward code example for this?

Answer 1

RP INITIATED LOGOUT

This is mostly a case of sending the standard message with these parameters.If I remember rightly, Azure may require the third of these to log you out successfully.

• client_id
• post_logout_redirect_uri
• id_token_hint

EXAMPLES

Here is a C# example that sends this type of request. It uses the older.Net framework, but the behaviour in.Net Core is very similar.

My Azure SPA example does an RP initiated logout, and I can confirm that these parameters work fine with Azure AD

ADVANCED OPTIONS

Sometimes logout can be a very tricky area to get the best usability behaviour, depending on the provider. In case useful later, another option is to use the max-age parameter from OpenID Connect during sign in. You then get an auth_time claim in the ID token. On the next redirect after auth_time has expired you can use this data to send a prompt=login parameter if required, to force the user to re-authenticate. The .NET way to do this is described in this post .