I have a ASP.NET MVC application with framework 4.7.2. The application is configured to use IdentityServer3 using OpenIDConnect. When user clicks on Logout button the following code is invoked
Action Method The logout action method get invoked first.
[HttpPost]
public ActionResult Logout()
{
Session.Clear();
if (Request.IsAuthenticated)
{
Request.GetOwinContext().Authentication.SignOut();
}
return Redirect("/");
}
In Owin Startup.cs
i have configured OpenIDConnect. The RedirectToIdentityProvider
event fires next.
Here, I am setting IdTokenHint
when RequestType is Logout.
public partial class Startup
{
public void Configuration(IAppBuilder app)
{
var cookieOptions = new CookieAuthenticationOptions
{
AuthenticationType = "Cookies",
LoginPath = new Microsoft.Owin.PathString("/Home"),
SlidingExpiration = true,
ExpireTimeSpan = GetCookieExpiration()
};
var openIdOptions = new OpenIdConnectAuthenticationOptions
{
Authority = ConfigurationManager.AppSettings["id:Authority"],
Scope = "openid email profile",
ClientId = "My ClientId",
RedirectUri = "http://localhost:58641/Home",
ResponseType = "id_token",
SignInAsAuthenticationType = "Cookies",
UseTokenLifetime = false,
Notifications = new OpenIdConnectAuthenticationNotifications
{
SecurityTokenValidated = (context) =>
{
//code here removed for brevity
return Task.FromResult(0);
},
RedirectToIdentityProvider = (context) =>
{
if (context.ProtocolMessage.RequestType == Microsoft.IdentityModel.Protocols.OpenIdConnectRequestType.LogoutRequest)
{
var idTokenHint = context.OwinContext.Authentication.User.FindFirst("id_token").Value;
context.ProtocolMessage.IdTokenHint = idTokenHint;
}
return Task.FromResult(0);
}
}
};
app.UseCookieAuthentication(cookieOptions);
app.UseOpenIdConnectAuthentication(openIdOptions);
MvcHandler.DisableMvcResponseHeader = true;
}
I fiddler i see it makes a call to
/identity/connect/endsession?id_token_hint= xxxxxxxx
However, the HTTP Verb its using
is OPTIONS
. So the IdentityServer throws error The requested resource does not support http method 'OPTIONS'
Not sure what i am missing Here.
Edit 1
In browser console i see the following error
Access to XMLHttpRequest at 'https://localhost:44300/identity/connect/endsession?id_token_hint=xxxxxxx' (redirected from 'http://localhost:58641/account/logout') from origin 'http://localhost:58641' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Edit 2
I have another ASP.NET Application that has the same logout code. But its making GET
request to endsession.