IdentityServer4 PostLogoutRedirectUri

identityserver4
JakeJ picture JakeJ · Mar 5, 2018 · Viewed 14.8k times · Source

I am confused about how this is used.

Most examples I've seen have it given as "/signout-callback-oidc". That seems to indicate that it uses OIDC middleware in the process. What if I want to return to a specific client page?

The automatic redirect isn't working when I set IdentityServer's AccountOptions.cs property of AutomaticRedirectAfterSignOut to true. Further, during logout, I do not receive the client's PostLogoutRedirectUri.

So, is that link supposed to go to the OIDC middleware, or is it available for use to redirect to the client?

Answer

McGuireV10 picture McGuireV10 · Mar 5, 2018

Your client has to be configured to request the callback to one of those URIs as part of the client-initiated sign-out flow.

IS4 clients can be configured with lists of allowable redirect URIs for both sign-in and sign-out, which I'm guessing is where you see /signout-callback-oidc -- if I remember right, either the docs or maybe the Quickstart code uses that, but there's nothing special about that particular URI name. (It isn't some OIDC standard, or a "well-known" name, or anything of that nature, as far as I know.)

The missing piece of the puzzle is to configure OIDC in the client application. You didn't mention what kind of application is on the client side, but in ASP.NET Core it's an option named SignedOutCallbackPath on the AddOpenIdConnect service:

services.AddOpenIdConnect("oidc", options =>
{
    options.SignInScheme = "Cookies";
    options.Authority = appConfig["OidcAuthority"];
    options.ClientId = appConfig["OidcClientId"];
    options.ClientSecret = appConfig["OidcClientSecret"];
    // etc

    options.SignedOutCallbackPath = "/jake-says-goodbye";
});

This causes the OIDC implementation to add a property to the sign-out request identifying that redirect URI. As long as your application properly identifies itself, as briefly mentioned in the docs here, and as long as /jake-says-goodbye is one of the approved post-logout redirect URIs on the IS4 side, you should get the callback you're expecting.

(I specifically mention "proper" identification because, based on github questions I've seen, it sounds like it might be more difficult to manage for a JS-based SPA client app versus whatever helpful things MVC does behind the scenes to manage server-to-server OIDC interaction. I can't speak to that as I've not had a need to implement any SPA clients with IS4 yet.)

Related questions

IdentityServer4 register UserService and get users from database in asp.net core

I've searched all over on how to register a UserService with IdentityServer4 in asp.net core, but I cant seem to find the right way to do it. This is the code to register InMemoryUsers found here, however I would …

Read More
How to add custom claims to access token in IdentityServer4?

I am using IdentityServer4. I want to add other custom claims to access token but I'm unable to do this. I have modified Quickstart5 and added ASP.NET Identity Core and the custom claims via ProfileService as suggested by Coemgen …

Read More
Identity Server 4: adding claims to access token

I am using Identity Server 4 and Implicit Flow and want to add some claims to the access token, the new claims or attributes are "tenantId" and "langId". I have added langId as one of my scopes as below and then …

Read More