Pfthb

I just updated my application (that uses identity server 4) to use the .net core 2.1 framework. The production instance uses .net core 1.1 and I do not have this issue there. The application supports multiple open id providers, one of which is B2C. Unlike other directories, the sign out process does not complete fully. In .net core 1.1, the sign out will end with the identity server logout page. But with .net core 2.1, I see a blank page. The last url hit on the identity server side is https://<id-server>/signout-callback-oidc?state=<state>. I suspect the state is corrupted? Unfortunately, this issue happens only after I deploy it to the app service, locally I do not have any issues.

With respect to the logs - logging ends once the end session end point is reached (EndSessionEndpoint). Once EndSessionResult is returned, logging does not happen anymore. So if I look at my logs, it indicates success.

I tried numerous things like specifying the signed out callback url in the list of accepted reply urls for the B2C registration, custom state data format suspecting lengthy urls. But nothing worked. The number of claims for these users are also less - about 7/8. I also tried using OpenIdConnectEvents.OnRemoteSignout and OpenIdConnectEvents.OnSignedOutCallbackRedirect, but it does not seem like these callbacks are getting called.

Identity Server Logs

[02:16:36 Information] IdentityServer4.Validation.EndSessionRequestValidator
End session request validation success

 "ClientId": "<id>",
 "ClientName": "<nmame>",
 "SubjectId": "<sub-id>",
 "PostLogOutUri": "https://<app>/signout-callback-oidc",
 "State": "<state>",
 "Raw": 
 "post_logout_redirect_uri": "https://<app>/signout-callback-oidc",
 "id_token_hint": "<token-hint>",
 "state": "<state>",
 "x-client-SKU": "ID_NET",
 "x-client-ver": "2.1.4.0"
 


[02:16:36 Debug] IdentityServer4.Endpoints.EndSessionEndpoint
Success validating end session request from <app-client-id>

[02:16:37 Information] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler
AuthenticationScheme: Identity.Application signed out.

[02:16:37 Information] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler
AuthenticationScheme: Identity.External signed out.

[02:16:38 Information] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler
AuthenticationScheme: Identity.TwoFactorUserId signed out.

[02:16:38 Information] Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler
AuthenticationScheme: OpenIdConnect signed out.

Sequence of urls traversed

.Net core 2.1 (Stops at signout-callback-oidc?state=<state> w/ a blank page)

• https://<client-app>/logout


• https://<identity-server>/connect/endsession?post_logout_redirect_uri=https%3A%2F%2F<client-app>%2Fsignout-callback-oidc&id_token_hint=<token-hint>&state=<state>&x-client-SKU=ID_NET&x-client-ver=2.1.4.0


• 
  https://<identity-server>/account/logout?logoutId=<logout-id>


• https://login.microsoftonline.com/our-tenant-id/our-policy/oauth2/v2.0/logout?post_logout_redirect_uri=https%3A%2F%2Four-identity-server%2Fsignout-callback-oidc&state=<state>&x-client-SKU=ID_NETSTANDARD1_4&x-client-ver=5.2.0.0


• 
  https://<identity-server>/signout-callback-oidc?state=<state>

.Net core 1.1 (Successful)

• https://<client-app>/logout


• 
  https://<identity-server>/connect/endsession?post_logout_redirect_uri=https%3A%2F%2F<client-app>%2Fsignout-callback-oidc&id_token_hint=<token-hint>


• https://<identity-server>/account/logout


• https://<identity-server>/account/Logout


• 
  https://login.microsoftonline.com/te/our-tenant-id/our-policy/oauth2/v2.0/logout?post_logout_redirect_uri=https%3A%2F%2Four-dentity-server%2Fsignout-callback-oidc&state=<state>


• 
  https://<identity-server>/signout-callback-oidc?state=<state>


• https://<identity-server>/account/logout

My questions

• Any thoughts on what is happening?


• If the sign out did not complete
  fully, is there any way for me recover and redirect to a pre-defined
  page?

Open ID Setup

services.AddOpenIdConnect(adSettingsB2c.SchemeName, adSettingsB2c.DisplayName, options =>

 options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
 options.SignOutScheme = IdentityServerConstants.SignoutScheme;
 options.Authority = $"adSettingsB2c.AADInstance/adSettingsB2c.Tenant/B2C_1_adSettingsB2c.SignInPolicyId/v2.0";
 options.CallbackPath = adSettingsB2c.CallbackPath;
 options.ClientId = adSettingsB2c.ClientId;
 options.ResponseType = OpenIdConnectResponseType.IdToken;
 options.SaveTokens = true;
 options.TokenValidationParameters = new TokenValidationParameters
 
 ValidateIssuer = true
 ;
 options.Events = new OpenIdConnectEvents
 
 OnRedirectToIdentityProvider = r =>
 
 var defaultPolicy = adSettingsB2c.SignInPolicyId;
 if (r.Properties.Items.TryGetValue("Policy", out var policy) &&
 !policy.Equals(defaultPolicy))
 
 r.ProtocolMessage.Scope = OpenIdConnectScope.OpenIdProfile;
 r.ProtocolMessage.ResponseType = OpenIdConnectResponseType.IdToken;
 r.ProtocolMessage.IssuerAddress = r.ProtocolMessage.IssuerAddress.ToLower().Replace(defaultPolicy.ToLower(), policy.ToLower());
 r.Properties.Items.Remove("Policy");
 
 if (r.Properties.Items.ContainsKey("email_address"))
 
 r.ProtocolMessage.SetParameter("login_hint", r.Properties.Items["email_address"]);
 
 return Task.FromResult(0);
 ,
 OnRemoteFailure = r => // ... 
 ;
 )

I have posted this question in the identity server repo too, in case you have some thoughts and would like to add it there instead! - https://github.com/IdentityServer/IdentityServer4/issues/2794

The issue was that when setting the options using the AddOpenIdConnect method, I was not setting the SignedoutCallbackPath for each of the open id providers causing this issue. Once that was done, logouts started working as expected!