Skip to content

Add signed-out callback path coverage #34378

New issue
New issue
Closed
#34385
Closed
Add signed-out callback path coverage#34378
#34385
Assignees
guardrex
Labels
BlazorPri1aspnet-core/svcblazor/subsvcdoc-enhancement
@guardrex

Description

@guardrex
guardrex
opened on Dec 16, 2024

Description

@halter73 per dotnet/aspnetcore#51202 ...

Main doc set

For the main doc set, we only have SignedOutCallbackPath/signout-callback-oidc covered for the OIDC article. However, it isn't actually covered in the article. It's covered via the commented-out configuration and remark in the sample app's Program file.

We don't maintain an Entra-enabled ASP.NET Core app article or sample AFAIK. We defer to the Azure/Entra docs and samples for that, and IDK what coverage they have. Let me know if you want me to go look.

Blazor

Blazor BWA+OIDC

  • Configure the app section of the article. Scroll down to Path configuration > SignedOutCallbackPath. That content appears for both BFF and non-BFF article pivots.
  • In the sample apps, we have commented-out code and a remark (example).

Blazor BWA+Entra

We don't discuss it in the article, and we don't configure it or comment on SignedOutCallbackPath/signout-callback-oidc in the sample app.

I propose to add guidance in the Configure the app section akin to what we have in the OIDC article with a remark on Entra's behavior. If you agree with the following, I'll place it into the BWA+Entra article ...

The <xref:Microsoft.AspNetCore.Builder.OpenIdConnectOptions.SignedOutCallbackPath%2A> is the request path within the app's base path where the user agent is returned after signing out from the identity provider. The default value is "`/signout-callback-oidc`" (configuration key: "`SignedOutCallbackPath`").

In the Entra or Azure portal, set the path in the **Web** platform configuration's **Redirect URI** entries:

> :::no-loc text="https://localhost/signout-callback-oidc":::

If you fail to add the sign-out callback URI to the app's registration, Entra refuses to redirect the user back to the app and merely asks them to close their browser window.

> [!NOTE]
> A port isn't required for `localhost` addresses when using Microsoft Entra ID. Most other OIDC providers require a correct port.

> [!NOTE]
> Entra currently only redirects back to the <xref:Microsoft.AspNetCore.Builder.OpenIdConnectOptions.SignedOutCallbackPath%2A> if the `microsoftonline.com` Authority (`https://login.microsoftonline.com/{TENANT ID}/v2.0/`) is used. This limitation doesn't exist if you can use the "common" Authority with Microsoft Identity Web. For more information, see [postLogoutRedirectUri not working when authority url contains a tenant ID (`AzureAD/microsoft-authentication-library-for-js` #5783)](AzureAD/microsoft-authentication-library-for-js#5783).

Page URL

https://learn.microsoft.com/en-us/aspnet/core/blazor/security/blazor-web-app-with-entra?view=aspnetcore-9.0

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/blazor/security/blazor-web-app-with-entra.md

Document ID

58758d13-94c9-e208-e0f6-16676834413c

Article author

@guardrex

Related Issues

Metadata

Metadata

Assignees

Labels

BlazorPri1aspnet-core/svcblazor/subsvcdoc-enhancement

Type

No type

Projects

Blazor.Docs

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions