Signing out of IdentityServer is as simple as removing the authentication cookie, but given the nature of IdentityServer we must consider signing the user out of the client applications as well.

Notifying clients that the user has signed-out

As part of the signout process you will want to ensure client applications are informed that the user has signed out. IdentityServer supports the front-channel specification for server-side clients (e.g. MVC) and the session management specification for browser-based JavaScript clients (e.g. SPA, React, Angular, etc.).

Server-side clients

To signout the user from the server-side client applications, the “logged out” page in IdentityServer must render an <iframe> to notify the clients that the user has signed out. IdentityServer tracks which clients the user has signed into, and provides an API called GetLogoutContextAsync on the IIdentityServerInteractionService (details). This API returns a LogoutRequest object with a SignOutIFrameUrl property that your logged out page must render into an <iframe>.

Browser-based JavaScript clients

Given how the session management specification is designed, there is nothing special that you need to do to notify these clients that the user has signed out.

Sign-out initiated by a client application

If sign-out was initiated by a client application, then the client first redirected the user to the end session endpoint. Processing at the end session endpoint might require some temporary state to be maintained (e.g. the client’s post logout redirect uri) across the redirect to the logout page. This state might be of use to the logout page, and the identifier for the state is passed via a logoutId parameter to the logout page.

The GetLogoutContextAsync API on the interaction service can be used to load the state. Of interest on the ShowSignoutPrompt is the ShowSignoutPrompt which indicates if the request for sign-out has been authenticated, and therefore it’s safe to not prompt the user for sign-out.

By default this state is managed in a cookie. If you wish to use some other persistence between the end session endpoint and the logout page, then you can implement IMessageStore<LogoutMessage> and register the implementation in DI.

When the “logged out” page renders the SignOutIFrameUrl described above, the state is then cleaned up.