Thinktecture IdentityServer v3 LogOut for Implicit flow

Question

How do I get the id_token for the implicit token to pass in the id_token hint for logout for implicit flow or is there another way? I have the end point /connect/endsession? id_token_hint=

Not sure how I get the id_token from the implict flow all I get is a access_token and expiration. Is there a setting in IdSvr?

Answer 1

There's three components to this.

First ensure you're requesting an id_token from Identity Server when you're configuring the OIDC authentication in your Startup.cs (as mentioned by @leastprivilege above):

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
     Authority = "https://localhost:44301/",
     ...
     ResponseType = "id_token token", //(Here's where we request id_token!)

Secondly, using the OIDC notifications & after the security token is validated you add the id_token to your user's claims:

Notifications = new OpenIdConnectAuthenticationNotifications
                {
                    SecurityTokenValidated = async n =>
                    {

                        var nid = new ClaimsIdentity(
                            n.AuthenticationTicket.Identity.AuthenticationType,
                            Constants.ClaimTypes.GivenName,
                            Constants.ClaimTypes.Role);

                        // get userinfo data
                        var userInfoClient = new UserInfoClient(
                            new Uri(n.Options.Authority + "/" + Constants.RoutePaths.Oidc.UserInfo),
                            n.ProtocolMessage.AccessToken);

                        var userInfo = await userInfoClient.GetAsync();
                        userInfo.Claims.ToList().ForEach(ui => nid.AddClaim(new Claim(ui.Item1, ui.Item2)));

                        // keep the id_token for logout (**This bit**)
                        nid.AddClaim(new Claim(Constants.TokenTypes.IdentityToken, n.ProtocolMessage.IdToken));

                        n.AuthenticationTicket = new AuthenticationTicket(
                            nid,
                            n.AuthenticationTicket.Properties);
                },

Finally, on the redirect for signout (also a notification event) you add the id_token to the Protocol Message:

            RedirectToIdentityProvider = n =>
            {
                if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
                {
                    var idTokenHint = n.OwinContext.Authentication.User.FindFirst(Constants.TokenTypes.IdentityToken);

                    if (idTokenHint != null)
                    {
                        n.ProtocolMessage.IdTokenHint = idTokenHint.Value;
                    }
                }

                return Task.FromResult(0);
            }

You'll also need to ensure you setup the PostLogoutRedirectUris on the client within Identity Server:

    new Client
    {
        Enabled = true,
        ClientName = "(MVC) Web App",
        ClientId = "mvc",
        Flow = Flows.Implicit,
        PostLogoutRedirectUris = new List<string>
        {
            "https://localhost:44300/" //(** The client's Url**)
        }
     }

That will ensure you give the user an option to return to the authorised client when they log out :)

All of this is pretty much as per the MVC Sample at https://identityserver.github.io/Documentation/docsv2/overview/mvcGettingStarted.html

Bit more than you asked for but hopefully that helps anyone else who's trying to figure it out too :)

Answer 2

To get an id_token, you have to ask for it. Use response_type=id_token token

Answer 3

Have you tried this?

ASP.Net Identity Logout

It should create the id token hint automatically