Signing out of IdentityServer is as simple as removing the authentication cookie, but given the nature of IdentityServer we must consider signing the user out of the client applications as well.
Notifying clients that the user has signed-out¶
To signout the user from the server-side client applications, the “logged out” page in IdentityServer must render an
<iframe> to notify the clients that the user has signed out.
IdentityServer tracks which clients the user has signed into, and provides an API called
GetLogoutContextAsync on the
This API returns a
LogoutRequest object with a
SignOutIFrameUrl property that your logged out page must render into an
Given how the session management specification is designed, there is nothing special that you need to do to notify these clients that the user has signed out.
Sign-out initiated by a client application¶
If sign-out was initiated by a client application, then the client first redirected the user to the end session endpoint. Processing at the end session endpoint might require some temporary state to be maintained (e.g. the client’s post logout redirect uri) across the redirect to the logout page. This state might be of use to the logout page, and the identifier for the state is passed via a logoutId parameter to the logout page.
GetLogoutContextAsync API on the interaction service can be used to load the state.
Of interest on the
ShowSignoutPrompt is the
ShowSignoutPrompt which indicates if the request for sign-out has been authenticated, and therefore it’s safe to not prompt the user for sign-out.
By default this state is managed in a cookie.
If you wish to use some other persistence between the end session endpoint and the logout page, then you can implement
IMessageStore<LogoutMessage> and register the implementation in DI.
When the “logged out” page renders the
SignOutIFrameUrl described above, the state is then cleaned up.