How to Sign out of ASP.NET from End Session Endpoint?

[Mike-E-angelo]

IdentityServer version

7.1

.NET version

9.0

Description

We have an Uno application that is authenticating users with Open ID Connect via Duende Identity Server. Everything works great and I wanted to thank you for all your efforts out there. 🙏

The problem we are having is when the user logs out. This calls /connect/endsession endpoint but it apparently does not delete the ASP.NET Cookie as described here.

Is there a way to do this? Thank you for any assistance you can provide.

Reproduction steps

NA

Expected behavior

No response

Logs

No response

Additional context

Thank you again for creating such a great product! 🙏

[RolandGuijt]

Since you're mentioning cookies and ASP.NET Core, are you hosting an Uno WebAssembly app with ASP.NET Core?
Also: can you please post the IdentityServer client configuration for the app?

[Mike-E-angelo]

Thank you for your assistance @RolandGuijt. Please note this is a device-based Uno application, so Android and iOS. No WebAssembly is involved. The Android/iOS device is calling into Duende Identity Server with the Uno OidcAuthenticationProvider (via OidcClient). This then launches the browser on the device (Chrome/Safari) where the cookie is stored.

There are indeed a lot of moving pieces here. 😁 Please let me know if you have any further questions and I will assist you.

Here is my configuration:

[RolandGuijt]

Typically a native app (iOS, Android) relies on the access token/refresh token mechanism of OAuth to do its work. It doesn't need or use the session. So it's OK to set the session lifetime to a short duration since it's only used to authenticate the user.
The meaning of "logging out" in an application like that in many cases just means revoking the refresh token at the revocation endpoint and then let the session die out.
Can this approach be used in your situation?

[Mike-E-angelo]

Thank you very much for your continued assistance @RolandGuijt it is appreciated. To start, I want to be sure we understand this is Open ID Connect and not plain Oauth2. Uno has an Open ID Connect provider as well as an Oauth2 provider. We chose the OIDC provider as that seemed to allow what we were after: basic username/password entry. The Duende templates set this up wonderfully and it works really well for our purposes:

Note the Remember My Login as well, as this appears to be a feature to consider when saving the session. Even with this unchecked the cookie remains and the next time Chrome loads this page on the user's device it simply forwards the user back to the application in an authenticated state.

As I understand your suggestion, we should decrease the session lifetime to a much smaller amount (a couple of seconds?). If we do this, what happens to the Remember My Login feature, I wonder?

in many cases just means revoking the refresh token at the revocation endpoint and then let the session die out.

I am a little confused here as the OIDC provider implemented by Uno does not appear to be doing this but calling the OidcClient.LogoutAsync which seems to be ending the session.

Any clarification would be appreciated. 🙏

[RolandGuijt]

The "Remember my login" feature sets a separate cookie in the browser, so you should be fine.

Regarding the call to LogoutAsync: that is correct behavior. That will call the end session endpoint on Identity Server triggering single logout. If other (web) clients have front- or back-channel logout configured their sessions will end automatically.

[Mike-E-angelo]

That will call the end session endpoint on Identity Server triggering single logout

Correct, but it doesn't delete the cookie as we are discussing, correct? I am trying to understand why Duende is setting cookies it does not delete following the expected workflow. That is, it will log in the user, set cookies, but it will log out (end session) without deleting the cookies it set.

Additionally, as it sounds like there are two cookies with the Remember My Login I want to be sure that this one gets deleted as well.

If other (web) clients have front- or back-channel logout configured their sessions will end automatically.

I would appreciate some further clarity around this. The only web client I am aware of is the one that I am using for Uno. Thank you for your continued assistance.

[RolandGuijt]

My remark about the Remember my Login cookie wasn't correct. By default the lifetime of the session cookie is tied to the browser session (it will be deleted when the browser closes). When the option is checked an absolute lifetime will be used that survives browser closes. I'll follow up with the rest of your questions soon.

[RolandGuijt]

Logging in at the identity provider (idp) is done via a browser. As part of the process the idp will set a cookie in the browser. The purpose of that cookie is basically to prevent users from having to login again when using web applications. When users open application A in one tab in the browser and log in and then go to another tab and try to use application B that trusts the same idp, the idp will detect a valid session because of the cookie and log in automatically without showing the login screen. This is a process known as single signon.

But in your case there is no browser involved except to facilitate the login process. During that process a cookie is set as normal but it isn't relevant to the application. All that matters is the access and refresh token. "Logging out" with a native app basically means revoking that.

Front- and back-channel logout are ways to notify other clients that a logout has occurred. So if in the above example application A logs out, application B is notified so it can delete it's own session cookie (not the idp one).
Specs are here and here.

Hope that clarifies things.