Using IdentityServer4 with Google as an external IdP, how to detect when user signs out of Google directly?

Question

I've got IdentityServer4 running with Google as a 3rd party identity provider. When a user logs in to IdentityServer via Google, how can I make IdentityServer detect, or otherwise get alerted, when the user logs out of Google directly? To be clear, I'm not trying to log the user out of Google when they log out of IdentityServer.

According to the IdentityServer4 docs:

"Federated sign-out is the situation where a user has used an external identity provider to log into IdentityServer, and then the user logs out of that external identity provider via a workflow unknown to IdentityServer... Not all external identity providers support federated sign-out, but those that do will provide a mechanism to notify clients that the user has signed out".

Does Google support this? I'm guessing, though not sure, that this functionality goes through the "check_session_iframe" OIDC endpoint, which I don't see in Google's discovery document (https://accounts.google.com/.well-known/openid-configuration).

If Google does support this, how do I configure in IdentityServer, or via the client app (using oidc-client-js) to get this notification? Currently I'm handling the oidc-client-js UserMangager event for addUserSignedOut() where I'd expect this to go. Indeed, when I externally sign out of IdentityServer directly, this gets called.

Answer 1

Google and Facebook external identity providers does not support federated sign-out. For more details refer to this link - Identity Server 4 - federated logout of google when used as an idp

However those identity providers who supports federated sign-out, for OpenIdConnect, you can use OpenIdConnectEvents in services.AddAuthentication().AddOpenIdConnect(...) method in Startup.cs to check remote sign out event.