public async Task <IActionResult> OnGetAsync()
{
// Get id_token first to seed the iframe logout
var user = await _signInManager.UserManager.GetUserAsync(User);
if (user != null)
{
// this is the session alternative to storing tokens
//var openIdConnectSessionDetails = HttpContext.Session.Get<OpenIdConnectSessionDetails>(Wellknown.OIDCSessionKey);
var queryLoginProviderClaim = (from claim in User.Claims
where claim.Type == "login_provider"
select claim).FirstOrDefault();
var queryIdTokenClaim = (from claim in User.Claims
where claim.Type == "id_token"
select claim).FirstOrDefault();
string loginProvider = null;
string idToken = null;
if (queryLoginProviderClaim != null)
{
loginProvider = queryLoginProviderClaim.Value;
if (queryIdTokenClaim != null)
{
idToken = queryIdTokenClaim.Value;
}
else
{
idToken = await _userManager.GetAuthenticationTokenAsync(user, loginProvider, "id_token");
}
}
// no matter what, we are logging out our own app.
// Do Not trust the provider to keep its end of the bargain to frontchannel sign us out.
await _signInManager.SignOutAsync();
_logger.LogInformation("User logged out.");
HttpContext.Session.Clear();
if (!string.IsNullOrEmpty(loginProvider) && !string.IsNullOrEmpty(idToken))
{
// we have an external OIDC provider here.
var clientSignoutCallback =
$"{Request.Scheme}://{Request.Host}/Identity/Account/SignoutCallbackOidc";
var discoverCacheContainer = _configuredDiscoverCacheContainerFactory.Get(loginProvider);
var discoveryCache = await discoverCacheContainer.DiscoveryCache.GetAsync();
var endSession = discoveryCache.EndSessionEndpoint;
EndSessionUrl =
$"{endSession}?id_token_hint={idToken}&post_logout_redirect_uri={clientSignoutCallback}";
// this redirect is to the provider to log everyone else out.
// We will get a double hit here, as our $"{Request.Scheme}://{Request.Host}/Account/SignoutFrontChannel";
// will get hit as well.
return(new RedirectResult(EndSessionUrl));
}
}
return(new RedirectResult("/"));
}
public IdentityController(ConfiguredDiscoverCacheContainerFactory configuredDiscoverCacheContainerFactory,
IMemoryCache memoryCache)
{
_configuredDiscoverCacheContainerFactory = configuredDiscoverCacheContainerFactory;
_discoveryContainer = _configuredDiscoverCacheContainerFactory.Get("p7identityserver4");
_memoryCache = memoryCache;
_providerValidator = new ProviderValidator(_discoveryContainer, _memoryCache);
}
public async Task <IActionResult> OnGetAsync()
{
if (User.Identity.IsAuthenticated)
{
string idToken = null;
string loginProvider = null;
var openIdConnectSessionDetails = HttpContext.Session.Get <OpenIdConnectSessionDetails>(Wellknown.OIDCSessionKey);
if (openIdConnectSessionDetails != null)
{
idToken = openIdConnectSessionDetails.OIDC["id_token"];
loginProvider = openIdConnectSessionDetails.LoginProider;
}
/*
* var openIdConnectSessionDetails = HttpContext.Session.Get<OpenIdConnectSessionDetails>(Wellknown.OIDCSessionKey);
* if (openIdConnectSessionDetails != null)
* {
* idToken = openIdConnectSessionDetails.OIDC["id_token"];
* loginProvider = openIdConnectSessionDetails.LoginProider;
* }
*/
// no matter what, we are logging out our own app.
// Do Not trust the provider to keep its end of the bargain to frontchannel sign us out.
await _signInManager.SignOutAsync();
_logger.LogInformation("User logged out.");
HttpContext.Session.Clear();
if (!string.IsNullOrEmpty(idToken) && !string.IsNullOrEmpty(loginProvider))
{
// we have an external OIDC provider here.
var clientSignoutCallback = $"{Request.Scheme}://{Request.Host}/Identity/Account/SignoutCallbackOidc";
var discoverCacheContainer = _configuredDiscoverCacheContainerFactory.Get(loginProvider);
var discoveryCache = await discoverCacheContainer.DiscoveryCache.GetAsync();
var endSession = discoveryCache.EndSessionEndpoint;
EndSessionUrl = $"{endSession}?id_token_hint={idToken}&post_logout_redirect_uri={clientSignoutCallback}";
// this redirect is to the provider to log everyone else out.
// We will get a double hit here, as our $"{Request.Scheme}://{Request.Host}/Account/SignoutFrontChannel";
// will get hit as well.
return(new RedirectResult(EndSessionUrl));
}
}
return(new RedirectResult("/"));
}
public async Task <IActionResult> OnGetAsync()
{
var clientSignoutCallback = $"{Request.Scheme}://{Request.Host}/Account/SignoutCallbackOidc";
// Get id_token first to seed the iframe logout
var user = await _signInManager.UserManager.GetUserAsync(User);
if (user != null)
{
var info = await _signInManager.GetExternalLoginInfoAsync();
var query = from item in info.AuthenticationTokens
where item.Name == "id_token"
select item;
var idToken = query.FirstOrDefault();
IdToken = idToken.Value;
var discoverCacheContainer = _configuredDiscoverCacheContainerFactory.Get(info.LoginProvider);
var discoveryCache = await discoverCacheContainer.DiscoveryCache.GetAsync();
var endSession = discoveryCache.EndSessionEndpoint;
EndSessionUrl = $"{endSession}?id_token_hint={IdToken}&post_logout_redirect_uri={clientSignoutCallback}";
// no matter what, we are logging out our own app.
// Do Not trust the provider to keep its end of the bargain to frontchannel sign us out.
await _signInManager.SignOutAsync();
_logger.LogInformation("User logged out.");
// this redirect is to the provider to log everyone else out.
// We will get a double hit here, as our $"{Request.Scheme}://{Request.Host}/Account/SignoutFrontChannel";
// will get hit as well.
return(new RedirectResult(EndSessionUrl));
//return Page(); return this is you want iFrame loggout. Your OIDC provider needs to let this go through though.
}
return(new RedirectResult("/"));
}