MVC Client Using Open Id Connect Auto Logging In after Logout

Question

I have just created my first MVC Application using the Open Id Connect Protocol under Identity Server 4 and .Net Core 2.0. The application is performing as expected during the Login flow where the user is redirected to the Login form hosted in my Identity Server service.

Where I am currently having an issue is that after I go through the Logout flow the application "appears" to behave as expected and is showing the user as logged out/not authenticated.

However on the next access of a protected method in my Web App the middleware is automatically logging the user back in by making a request to Identity Server in the background without asking for a username or password.

I have used the Implicit MVC Client from the Identity Server Samples to rule out any of my client code but the same thing happens.

I was wondering if anyone has experienced this issue and how they managed to resolve it.

My Startup.cs in the client looks as below:

services.AddAuthentication(options =>
        {
            options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = "oidc";
        })
            .AddCookie(options =>
            {
                options.Cookie.Name = "mvcimplicit";
            })
            .AddOpenIdConnect("oidc", options =>
            {
                options.Authority = Constants.Authority;
                options.RequireHttpsMetadata = false;

                options.ClientId = "lipaspotwebui";

                options.Scope.Clear();
                options.Scope.Add("openid");
                options.Scope.Add("profile");
                //options.Scope.Add("email");
                options.AuthenticationMethod = OpenIdConnectRedirectBehavior.FormPost;

                options.SaveTokens = true;

                options.TokenValidationParameters = new TokenValidationParameters
                {
                    NameClaimType = JwtClaimTypes.Name,
                    RoleClaimType = JwtClaimTypes.Role,
                };
            });

Here is the code from my Logout method in my client application:

public async Task<IActionResult> Logout()
    {            
        return new SignOutResult(new string[] { "oidc", "Cookies" });
    }

It would appear from my investigations that the user details are being cached at the client somehow and being passed up in the call to the Identity Server but that is only an assumption tbh.

Any help on this would be much appreciated.

Stuart

Edit:

I have now confirmed that the issue is the .AspNet.Identity.Application cookie that is being created as part of the application login. The issue I have now is how to get rid of this as have tried the suggestions below to no avail. Is there any way to easily get rid of this on my CleanUp action?

Edit #2

As suggested I cleared out all my browser cookies before starting. Here are the cookies at each stage

After Initial Login

After Logout (redirected from Identity Server 4)

After accessing a protected method in Client Site

It is important to note that as mentioned above that when I access the protected method after the logout has completed I am not prompted for my Username/Password again which IMO cant be desired method for this system to work.

Answer 1

As mentioned by m3n7alsnak3, HttpContext.Authentication.SignOutAsync is obsolete but it was replaced with HttpContext.SignOutAsync -- and you need to call it for OIDC as well. Try this:

await HttpContext.SignOutAsync("mvcimplicit");
await HttpContext.SignOutAsync("oidc");

Answer 2

You should have this:

Request.GetOwinContext().Authentication.SignOut();

in your Logout method in the client. Then the LogoutUri of the client (registered in IDS), should point to a method, in your client (for example: https://clientUrl/Home/SignoutCleanup), which has the following in it:

public void SignoutCleanup(string sid)
    {
        var cp = (ClaimsPrincipal)User;
        var sidClaim = cp.FindFirst("sid");
        if (sidClaim != null && sidClaim.Value == sid)
        {
            Request.GetOwinContext().Authentication.SignOut("Cookies");
        }
    }

So far this things works like charm for us.

EDIT: For .NET Core clients, because there is no Request.GetOwinContext()

you should use:

Microsoft.AspNetCore.Authentication.AuthenticationHttpContextExtensions.SignOutAsync(HttpContext);

You can see other answers, saying that you can also use:

HttpContext.Authentication.SignOutAsync("Cookies");

But it is already obsolete and will be removed.