.Net Core SignOut() RedirectUri not working

[TestO2015]

I'm trying to do a SignOut with a redirect uri specified in the AuthenticationProperties. It redirects to the OIDC SignedOutCallbackPath I configured but doesn't make it to the RedirectURI.

    [HttpGet("Logout")]
    public async Task Logout()
    {
        var prop = new AuthenticationProperties()
        {
            RedirectUri = "http://google.com"
        };

        await HttpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme, prop);
    }

Setup and info:

• The app has Cookie and OpenId Connect authentication setup
• Connects to Oracle IDCS.
• Both HttpContext.SignOutAsync() and SignOut() have the same result.
• A login via ChallengeRequest with a RedirectUri on the other hand works.

How does the Redirect URI actually work inside - ex. does it get sent to the Identity Provider and back? Any clues as to why this doesn't work?

[Tratcher]

Here's the part where the signout starts. It forwards the RedirectUri via a state property just like Challenge does.

aspnetcore/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectHandler.cs

Lines 216 to 217 in 930fd52

	// Get the post redirect URI.
	if (string.IsNullOrEmpty(properties.RedirectUri))

And here's where it comes back:

aspnetcore/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectHandler.cs

Lines 295 to 300 in 930fd52

	var message = new OpenIdConnectMessage(Request.Query.Select(pair => new KeyValuePair<string, string[]>(pair.Key, pair.Value)));
	AuthenticationProperties properties = null;
	if (!string.IsNullOrEmpty(message.State))
	{
	properties = Options.StateDataFormat.Unprotect(message.State);
	}

If you trace the request do you see the state field coming back? If you hook into the SignedOutCallbackRedirect event do you see the RedirectUri you set in the Properties?

[AndrewTriesToCode]

@Tratcher beat me to it but I'll add that it seems not all open ID connect providers actually call the sign out callback, or if they do its just a static preconfigured URL they'll hit--without the state information passed in. If you don't see the callback getting called that could be why.

OpenID Connect and OAuth sign out isn't as well-defined out as sign in.

[TestO2015]

@Tratcher The OnRedirectToIdentityProviderForSignOut event does show the .redirectUri property. OnRemoteSignOut does not and OnSignedOutCallbackRedirect isn't called at all.

I can see the state field present when it reaches the signed out callback path:

https://myhost/myapp/signout-oidc?state=CfDJ8FDX1DIGbFhFpGXGafv92zCXFWXuErnnkL5NwfZ2AINAiKEOY4OmXcRtNLzG07hjHXDgQrMq5k-1gaXeG_vWx2_ljys1Qqn9ahV3qOLMH6V_LeETjROjNsCbYUmbDB52JysBVeLwsqawQALjK25-9jVM_sedBCirBATW0ltc1TO6

@AndrewTriesToCode Do you think the fact that OnSignedOutCallbackRedirect isn't hit indicates that Oracle IDCS doesn't call the signed out callback?

[Tratcher]

Do you think the fact that OnSignedOutCallbackRedirect isn't hit indicates that Oracle IDCS doesn't call the signed out callback?

Makes sense. It's interesting it called OnRemoteSignOut instead. That's normally reserved for notifications that a central sign-out was requested by another application.

It might also be a registration issue. You've registered the login callback path ("/signin-oidc") with Oracle, right? What about the signed out callback path "/signout-callback-oidc"?

aspnetcore/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectOptions.cs

Lines 40 to 41 in 930fd52

	SignedOutCallbackPath = new PathString("/signout-callback-oidc");
	RemoteSignOutPath = new PathString("/signout-oidc");

[TestO2015]

It might also be a registration issue. You've registered the login callback path ("/signin-oidc") with Oracle, right? What about the signed out callback path "/signout-callback-oidc"?

Yes I do have /signin-oidc configured in Oracle under the Post Logout Redirect Uri.

I can see that the post_logout_redirect_uri is not set correctly in the logout API call. It always uses the OIDC SignedOutCallbackPath regardless of what I've configured in the RedirectUri. I tested in Azure AD and it works fine - it uses the RedirectUri and OnSignedOutCallbackRedirect gets called - but I need to use Oracle IDCS.

https://idcs-9ce....identity.oraclecloud.com/oauth2/v1/userlogout?post_logout_redirect_uri=https%3A%2F%2Fmyapp%2Fsignout-callback-oidc&id_token_hint=...

[Tratcher]

I can see that the post_logout_redirect_uri is not set correctly in the logout API call. It always uses the OIDC SignedOutCallbackPath regardless of what I've configured in the RedirectUri.

That's expected. It's supposed to return to "/signout-callback-oidc" and then be redirected locally to your RedirectUri. Make sure "/signout-callback-oidc" is registered as a valid Post Logout Redirect Uri.

[TestO2015]

@Tratcher I was setting the OIDC SignedOutCallbackPath to "/signout-oidc" and apparently that causes the the RedirectUri to not be used. I'm not sure why.

After registering the default "/signout-callback-oidc" value in IDCS instead, it works - I'm good with this.

Thanks for your help.

[Tratcher]

signout-oidc is the value for RemoteSignOutPath which is intended to handle a different flow. Setting them to the same value seems to have caused a conflict.

aspnetcore/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectOptions.cs

Lines 40 to 41 in 84b77de

	SignedOutCallbackPath = new PathString("/signout-callback-oidc");
	RemoteSignOutPath = new PathString("/signout-oidc");

[ghost]

This issue has been resolved and has not had any activity for 1 day. It will be closed for housekeeping purposes.

See our Issue Management Policies for more information.