0

I have IdentityServer4 running in Azure on an https url, and I'm using an Angular CLI project with the angular-oauth2-oidc library to handle the Implicit Flow. I'm trying to set up Single Sign Out, but it's not working correctly.

I'm calling logOut on the OAuthService which was auto-configured (via the Discovery Document) to use a logout url on the auth server, i.e. https://my-id4-server.example.com/connect/endsession with query string parameters containing a token_hint and a postLogoutUri.

For some reason, the actual behavior is that IdentityServer4 redirects (302) the browser to the url https://my-id4-server.example.com/account/logout?logoutid=..., for which the browser gets a 404. In addition, if I open the IdentityServer pages in a separate tab, I can see my session is still alive.

The expected behavior is that my session is ended, and that I get redirected back to my SPA.

On the ID4Server side I've configured:

  • RedirectUris and PostLogoutRedirectUris with http://localhost:4200 (where my SPA runs currently), amongst others;
  • AllowedGrantTypes is set to Implicit
  • AllowedCorsOrigins also allows my localhost SPA

In addition I can see the endsession endpoint correctly configured in the .well-known configuration endpoint.

On the SPA side I've configured issuer, redirectUri, clientId, and scope. Logging in with a redirect back works just fine.

Bottom line: what is wrong if the endsession endpoint redirects to account/logout which in turn gives a 404?

Jeroen
  • 60,696
  • 40
  • 206
  • 339

2 Answers2

1

The problem was that the Controller action for Logout(...) was missing on the IdentityServer side of things. If you don't have those but everything else is there, then you get said behavior.

Jeroen
  • 60,696
  • 40
  • 206
  • 339
0

I'd guess that account/logout is the default redirect for this flow and you need to either change it to your actual logout URL in the IDS4 settings or simply implement that endpoint.

It's by design that IDS4 hands control over to you after the endsession endpoint is hit. You get passed a logoutid param which you can then use in combination with IIdentityServerInteractionService to get information about the endsession request and take the necessary action - e.g. prompt for confirmation, load the front channel logout iframe, deal with signing out of an external IDP etc.

mackie
  • 4,996
  • 1
  • 17
  • 17