c# - Can't sign out from Identity Service using endsession API

Question

I'm executing a GET to

GET https://localhost:44301/connect/endsession?id_token_hint=eyJhbGciO...GzHCPw

as suggested in the docs for EndSession endpoint.

It seems to work (in a way) because I get a hit on my breakpoint in the method redirected to.

[HttpGet("logout")]
public async Task<IActionResult> LogOut(
    [FromQuery] string id_token_hint,
    [FromQuery] string post_logout_redirect_uri,
    [FromQuery] string session,
    [FromQuery] string logoutId)
{ 
  LogoutRequest context = await InteractionService
    .GetLogoutContextAsync(logoutId);
  ...
}

Here, I'm getting a value in logoutId (unless I skip passing the identity token, resulting i null), while the other variables are not set, staying as null. At first, I was happy to see that context wasn't null. However, I soon learned that it's set poorly, despite following stuff that work.

I can see the client's name and ID (which seems to be correct). However, everything else is null except for the array Parameters, which contains zero elements.

I've made sure to pass in the identity token, not access token. I've also tried the full version with all the parameters described in the docs (trying various redirect URLs both mentioned in my configuration and others). The same (mis)behavior followed, though.

GET https://localhost:44301/connect/endsession
?id_token_hint=eyJhbGciO...GzHCPw
&post_logout_redirect_uri=https://get_the_duck.off
&session=1337

Since I'm getting the breaky hit and recieve some value as logoutId parsable by the interaction service, I feel that it's wired up correctly (which is expected since the security as such works as expected). However, my application seem to be a stalker and just won't let them go, so to speak. I suspect, there's some tiny detail that the docs don't mention (or obscures in a formulation I don't comprehend). (Googling gave nothing I recognized as relevant.)

Proof of effort (along a bunch of blogs on security, not dedicated to the signout specifically).

• Old .NET, no answer.
• Wrong platform
• Already tried, also not .NET Core
• Unrelated, even if it sound like so
• Waaay too old

Answer 1

Why do you need to call that endpoint? There are many cookies/sessions involved and the easiest is to do it in ASP.NET Core using:

[HttpPost]
[ValidateAntiForgeryToken]
public async Task Logout()
{
    await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
    await HttpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme);

    //Important, this method should never return anything.
}

This usually works for me to do a complete signout from my ASP.NET Core client.

Also, it is a best practice to only accept logout using HTTP POST, not GET.