Use HttpPost for Logout in OWIN/Katana authentication manager

Question

Is there a way to force the Katana authentication manager to call the Logout endpoint from IdentityServer3 with a HttpPost instead of a HttpGet method?

I currently use this method to call the endsession endpoint from IdentityServer3 (according to this tutorial):

public ActionResult Logout()
{
    // standard way with HTTP GET
    Request.GetOwinContext().Authentication.SignOut();

    return Redirect("/");
}

I need this, because the URL would have more than 2000 chars and this will lead to some errors.

Thx for help

Answer 1

Sadly the OWIN middleware is not supporting HttpPost sign-out actions. As a workaround, you can manually post the necessary parameter to the end session endpoint

I provide a link in my MVC5 application, so that a user is able to logout:

@{
    Claim idTokenHintClaim = Request.GetOwinContext().Authentication.User.FindFirst("id_token");
    string idTokenHint = idTokenHintClaim != null
        ? idTokenHintClaim.Value
        : null;
}
<form action="https://.../core/endsession" method="POST" id="logoutForm">
    <input type="hidden" name="id_token_hint" value="@idTokenHint"/>
    <input type="hidden" name="post_logout_redirect_uri" value="@PostLogoutRedirectUrl"/>
</form>
<a href="javascript:document.getElementById('logoutForm').submit()">
    Logout
</a>

The IdentityServer3 is doing its job and destroys the current user session. After that IdentityServer3 is calling our @PostLogoutRedirectUrl. The @PostLogoutRedirectUrl is pointing to an controller method of the MVC application:

public ActionResult LogoutCallback()
{
    HttpCookie cookie = new HttpCookie("SecureCookieName");
    cookie.HttpOnly = true;
    cookie.Expires = new DateTime(1999, 10, 12);
    Response.Cookies.Remove("SecureCookieName");
    Response.Cookies.Add(cookie);

    SetPasswordResetHint();

    return RedirectToAction("Index");
}

I hope the support for HttpPost methods will be added in the OWIN middleware soon.