I am having an issue where I cannot seem to get my Identity Server logout to show the confirmation first. I downloaded the source code for IdentityServer4 from github and found the parameter in the Models folder: LogoutRequest.cs, ShowSignOutPrompt. There are no references to it in IdentityServer except to check it during the logout.
In debugging, I see that it is false. I don't know where this is supposed to get set, I've checked the options for the client config on both the server and client side, as well as the options on server startup.
I can find no instances of "ShowSignoutPrompt" in the client code (I'm using the IdentityServer3 Owin Hybrid client sample currently).
Here's the code flow: We have a button in our default layout which triggers the client's AccountController.Signout():
public void Signout()
{
Request.GetOwinContext().Authentication.SignOut();
}
From there, I'm not exactly sure how, but the next point it hits is IdentityServer's AccountController.Logout(string logoutId). That method builds the logout prompt view (using checks in AccountServices.BuildLogoutViewModelAsync) and returns it to the user's browser. The only way it works properly to not set the ShowSignoutPrompt to false is if PostLogoutRedirectUri is set to "/signout-callback-oidc". I don't know why.
When the user clicks "yes" on the view generated above, it goes to IdSrvr's AccountController.Logout(LogoutInputModel model). I am trying to change the last line of that method from:
return View("LoggedOut", vm);
to:
return Redirect(vm.PostLogoutRedirectUri);
There's another problem here in that the PostRedirectUri is null here, even though I set it on the client config (well, for that matter, Identity Server's client config also has it).
There is no client attribute to control this.
When logging out the client application calls the IdentityServer4 End Session Endpoint.
The signout prompt can be bypassed when a client sends the original id_token. This is passed in as the id_token_hint parameter.
In addition, it indicates if the request for the sign-out has been authenticated, and therefore it's safe to no prompt the user for sign-out. per ref
ShowSignoutPrompt Indicates if the user should be prompted for signout based upon the parameters passed to the end session endpoint. Source PDF
NOTE: If you are using the JavaScript OIDC-Client-JS library, the 'signoutRedirect' method will internally check, see _signoutStart method line 354, for the id_token_hint argument or the users id_token. So if you are using this library to log a user off and want to force the logout screen you will have to clear the user.id_token.
Sample section from _signoutStart()
_signoutStart(args = {}, navigator, navigatorParams = {}) {
...
var id_token = args.id_token_hint || user && user.id_token;
if (id_token) {
Log.debug("Setting id_token into signout request");
args.id_token_hint = id_token;
}
...
}
UPDATE:
If you are using IdentityServer4 version 2.x you can use the new class ClientProperty to store key-value pairs. In here you could create a key of "LogoffPromptRequired" and a value of "true" to be used in the client or IdentityServer implementation to determine if the Logg off screen is required.