Sign Out of a Blazor App using the OIDC Authentication Scheme

Question

We have a .NET Core 6 Blazor Server App. We login with our own Identity Provider using OIDC. We are having an issue signing out.

We have set up our authentication using the following code block.

builder.Services
    .AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddCookie()
    .AddOpenIdConnect(opts => {
        opts.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        opts.RequireHttpsMetadata = !isDebug;
        opts.ClientId = "user-accounts-app";
        opts.CallbackPath = "/signin-oidc";
        opts.ResponseType = OpenIdConnectResponseType.Code;
        opts.Authority = authority;
        opts.ClientSecret = builder.Configuration["CLIENT_SECRET"];
        var scopes = new List<string>() {
            "openid", "profile", "email", "phone", "offline_access"
        };
        foreach(var s in scopes)
        {
            opts.Scope.Add(s);
        }
    });

The discovery document does include an end_session_endpoint ; however, the endpoint is never hit. We attempt to signout from a razor page with

await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
// This line does not work
await HttpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme, new AuthenticationProperties
{
    RedirectUri = "http://mydomainhere.com/our/path/here",
});

Running that 2nd SignOutAsync seems to do nothing. The Identity Provider is not hit at the end session endpoint and nothing happens on our logout page. Our session is not cleared from the IDP.

Additionally, our cookies for the blazor app are not entirely cleared. We have a ton of lingering .AspNetCorrelation.hash<hash-here> with path /signin-oidc (tried to get a screenshot but SO is having server errors with those right now). But the.AspNetCore cookie is cleared successfully by the first SignOutAsync call.

I'm not sure what the behavior of the second SignOutAsync is supposed to be. Would it redirect the user to the logout url of the IDP? Or does it do that in the background? Are we missing some configuration in our call to AddOpenIdConnect() to handle sign out?

Answer 1

Looks like we were just missing an OIDC sign out scheme.

opts.SignOutScheme = OpenIdConnectDefaults.AuthenticationScheme;

This is all we needed to get it working.

ASP.net will use the sign in scheme if no sign out scheme is specified. The sign in scheme is cookie which is a bit misleading because the OpenID authority is actually the one you're signed into. Signing in leads to the cookie being created to store the auth token provided by that authority (so you are effectively signed into the client app). If you sign out with a cookie scheme then only the cookie is destroyed -- you are signed out of the client, but not the authority. The next time you come to a page, you just get a new cookie because you're already signed into the authority.

The sign out scheme above therefore signs out of the authority, not just the client. I'm not sure if my colleague who figured it out also added a step of removing the cookie. I will edit this with details if I find out they did or not. It may somehow be magically handled by the asp framework.