ASP.NET Core 6 OAuth2 Logout - returning 404 error

Question

I'm trying to implement the logout functionality for an ASP.NET Core 6.0 MVC application (Web API is not a separate project).

However, when I'm trying to logout of the application, I get 404 Bad Request - error:

The 'post_logout_redirect_uri' parameter must be a Logout redirect URI in the client app settings

Here is the program.cs :

appBuilder.Services.AddAuthentication(options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})    
   .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
     {
         options.ExpireTimeSpan = TimeSpan.FromMinutes(10);
         options.SlidingExpiration = true;
     })
   .AddOpenIdConnect(options =>
{
    options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.Authority = config.GetValue<string>("Okta:Domain");
    options.ClientId = config.GetValue<string>("Okta:ClientId");
    options.ClientSecret = config.GetValue<string>("Okta:ClientSecret");

    options.GetClaimsFromUserInfoEndpoint = true;
    options.ResponseType = OpenIdConnectResponseType.Code;
    options.UseTokenLifetime = true;
    options.Scope.Add("openid");
    options.Scope.Add("profile");
    options.Scope.Add("email");
    options.SaveTokens = true;
    options.UseTokenLifetime = true;
    options.RequireHttpsMetadata = true;
    options.CallbackPath = "/signin-oidc";
    options.SignedOutRedirectUri = "/Home/Logout";
 
    if (config.GetValue<string>("env") != "localhost")
    {
        var proxyUri = new WebProxy(new Uri(config["ProxyURL"]), BypassOnLocal: false);
        var proxyHttpClientHandler = new HttpClientHandler
        {
            Proxy = proxyUri,
            UseProxy = true,
            SslProtocols = System.Security.Authentication.SslProtocols.Tls | System.Security.Authentication.SslProtocols.Tls11 | System.Security.Authentication.SslProtocols.Tls12
        };
        var httpClient = new HttpClient(proxyHttpClientHandler)
        {            
            Timeout = TimeSpan.FromMinutes(10)
        };        
        options.BackchannelHttpHandler = new HttpClientHandler
        {
            ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => true,
            Proxy = proxyHttpClientHandler.Proxy,        
        };        
    }

    options.Events = new OpenIdConnectEvents
    {
        OnRedirectToIdentityProvider = async ctx =>
        {          
            ctx.ProtocolMessage.RedirectUri = config.GetValue<string>("Okta:RedirectUri");
            await Task.FromResult(0);
        },

        OnRedirectToIdentityProviderForSignOut = async ctx =>
        {            
            ctx.ProtocolMessage.PostLogoutRedirectUri = config.GetValue<string>("Okta:PostLogoutRedirectUri");
            await Task.CompletedTask;
        },

        OnUserInformationReceived = async context =>
        {   
            string rAccessToken = context.ProtocolMessage.AccessToken;
            string rIdToken = context.ProtocolMessage.IdToken;
            var handler = new JwtSecurityTokenHandler();
            var accessToken = handler.ReadJwtToken(rAccessToken);
            var idToken = handler.ReadJwtToken(rIdToken);
        },

        OnTicketReceived = async context =>
        {
        },

        OnAuthenticationFailed = async context =>
        {
        },

        OnSignedOutCallbackRedirect = async context =>
        {          
        }
    };
});

appBuilder.Services.AddAuthorization();

appsettings.json :

"Okta": {
    "ClientId": "123Ac0n28iK9MH3Oc297",
    "ClientSecret": "325twLwoWrgBY6ep-Imgsrg43_12cIo6jA993j2VU",
    "Domain": "https://login-bb.zzz/oauth2/default",
    "PostLogoutRedirectUri": "https://localhost:22334/signout-callback-oidc",
    "RedirectUri": "https://localhost:22334/signin-oidc",
    "SignOutRedirectUri": "https://localhost:22334/signout-oidc"
  },

Controller:

[HttpPost]
public async Task Logout()
{
        if (User.Identity.IsAuthenticated)
        {
            await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
            await HttpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme);
        }
}

If the set the PostLogoutRedirectUri to NULL, it logs out of the application and redirects to the signin page. However, upon signing in, it doesn't take me back to the application, but redirects me to the okta home page.

I appreciate any tips for this.

Answer 1

Have never used OKTA API but was curious and looked in API documentation. From what I'm seeing perhaps your appsettings.json has incorrect nomenclature. You have "PostLogoutRedirectUri", and the API docs are showing setting the json for PostLogoutRedirectUri as "end_session_redirect_uri"

Also states this...

If you don't specify a post_logout_redirect_uri, then the browser is redirected to the Okta sign-in page

If the API endpoint is looking for "end_session_redirect_uri" and not getting it, perhaps it's treating it as not specified in above quote.

Sign users out | Okta Developer

Scroll down to... "Define the sign-out callback" section.

Like I said above, never used Okta was just curious about it.