How to Logout of Owin Providers?

Question

I am following this tutorial yet it does not tell you how to logout. I tried to do

Request.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ExternalCookie);

Request.GetOwinContext().Authentication.SignOut()

          Request.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie);

You can get the sample code here: https://github.com/AndersAbel/SocialLoginWithoutIdentity

Just need to add one more action

public ActionResult SignOut()
 {
       Request.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ExternalCookie);
       return RedirectToAction("Index", "Home");
 }

This method plus any one of the 3 lines of I posted above

My result right now is, I login, I go to secure page and can see it, I then proceed to my signout and then after signout try to go back to the secure page and I am allowed back to that secure page.

So it actually did not really sign me out.

Answer 1

As mentioned in the tutorial, the middleWare used use the default authentication type but don't override it.

By using only externalCookie as parameter for Owin you are clearing the cookie for Asp, but not the one used to store the Google provider,

to do so, you will have to get the array of all current cookies. It can be done the easy way like this:

Request.GetOwinContext()
       .Authentication
       .SignOut(HttpContext.GetOwinContext()
                           .Authentication.GetAuthenticationTypes()
                           .Select(o => o.AuthenticationType).ToArray());

This is where it is said on the Tutorial:

The call to UseGoogleAuthentication should be quite obvious why it’s needed.

But the first one toSetDefaultSignInAsAuthenticationType is not as obvious. login middleware normally relies on the external cookie middleware registered before the social login middleware. external cookie middleware, it sets itself as the default signin type. That’s how the social login middleware knows that it should use the external cookie. In this setup there is no external cookie, so we have to manually set the main cookie middleware as the default signin type. The cookie middleware will only issue a cookie if the AuthenticationType matches the one in the identity created by the social login middleware.Looking at the owin external authentication pipeline a socialIn the setup of the

Answer 2

Try setting the cache control headers.

public ActionResult SignOut() {
    var authenticationTypes = new string[] {
        DefaultAuthenticationTypes.ApplicationCookie,  
        DefaultAuthenticationTypes.ExternalCookie 
    };
    AuthenticationManager.SignOut(authenticationTypes);
    // HACK: Prevent user from being able to go back to a logged in page once logged out
    Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
    Response.Cache.SetCacheability(HttpCacheability.NoCache);
    Response.Cache.SetNoStore();
    // now redirect
    return RedirectToAction("Index", "Home");    
}

private IAuthenticationManager AuthenticationManager {
    get {
        return Request.GetOwinContext().Authentication;
    }
}

There is no stopping the user clicking the back button on the browser, unless you try JavaScript, which can be disabled. The user can go back a page and view what was on the previous page, but if they try to click any protected links or refresh the page, they will be redirected to log in.

Answer 3

Use the [Authorize] attribute on classes which need authorization:

 [Authorize]
public class MeController : ApiController
{
    // GET api/<controller>
    public IEnumerable<object> Get()
    {
        var identity = User.Identity as ClaimsIdentity;
        return identity.Claims.Select(c => new
        {
            Type = c.Type,
            Value = c.Value
        });
    }
}

source: http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server