How to redirect user to client app after logging out from identity server?

Question

I want to redirect user to the same client after he logged out from that client. So if i have lets say 5 clients on one identity server, i want users to be able to log out from one client and be on that same client but logged out.

The one thing i have tried is to use PostLogoutRedirectUri in AccountController in quickstart, but the value is always null. Workaround that i found is to manually set PostLogoutRedirectUri, that works fine if you have only one client on the server, but not so much if I have multiple. Is there any way to know which client has been "logged out"?

  public async Task<IActionResult> Logout(LogoutInputModel model)
    {
        // build a model so the logged out page knows what to display
        var vm = await BuildLoggedOutViewModelAsync(model.LogoutId);

        if (User?.Identity.IsAuthenticated == true)
        {
            // delete local authentication cookie
            await HttpContext.SignOutAsync();

            // raise the logout event
            await _events.RaiseAsync(new UserLogoutSuccessEvent(User.GetSubjectId(), User.GetDisplayName()));
        }

        // check if we need to trigger sign-out at an upstream identity provider
        if (vm.TriggerExternalSignout)
        {
            // build a return URL so the upstream provider will redirect back
            // to us after the user has logged out. this allows us to then
            // complete our single sign-out processing.
            string url = Url.Action("Logout", new { logoutId = vm.LogoutId });

            // this triggers a redirect to the external provider for sign-out
            return SignOut(new AuthenticationProperties { RedirectUri = url }, vm.ExternalAuthenticationScheme);
        }


        vm.PostLogoutRedirectUri = "http://localhost:56582";
        return Redirect(vm.PostLogoutRedirectUri);
    }

My Client

 new Client
                {

                    ClientId =  "openIdConnectClient",
                    ClientName = "Implicit Client Application Name",
                    AllowedGrantTypes = GrantTypes.Implicit,
                    AllowedScopes = new List<string>
                    {
                        IdentityServerConstants.StandardScopes.OpenId,
                        IdentityServerConstants.StandardScopes.Profile,
                        IdentityServerConstants.StandardScopes.Email,
                        "role",
                        "customAPI.write"
                    },

                    RedirectUris = new List<string>{ "http://localhost:56582/signin-oidc" },
                    PostLogoutRedirectUris = new List<string>{ "http://localhost:56582" },
                   // FrontChannelLogoutUri = "http://localhost:56582/signout-oidc"

                }

PostLogoutRedirectUri is something you configure per client, it should not be null if you configure it. You don't show your code how your clients are setup. — Joe Audette, Jun 06 '19 at 12:10
I have an open source integration with IdServer [here](https://www.cloudscribe.com/identityserver-integration) that does redirect correctly after logout. [source code here](https://github.com/cloudscribe/cloudscribe) My idserver logout action accepts a logoutId which I use with IIdentityServerInteractionService.GetLogoutContext(logoutid) and that returns for me the client PostLogoutRedirectUri. — Joe Audette, Jun 06 '19 at 12:28
why is my postlogoutredirecturi null when i set it in my client? — Veljko Sekulic, Jun 06 '19 at 12:40
are you sure you are getting a value for logoutid? Maybe look at my code [here](https://github.com/cloudscribe/cloudscribe/blob/bd483917025d3e6213615943e7f2b638a722226b/src/cloudscribe.Core.Web/Controllers/AccountController.cs#L960-L996) and [here](https://github.com/cloudscribe/cloudscribe/blob/bd483917025d3e6213615943e7f2b638a722226b/src/cloudscribe.Core.IdentityServerIntegration/CloudscribeIntegration.cs#L57-L69) — Joe Audette, Jun 06 '19 at 12:56
yeap, there is logoutid, vm is also not null,but redirecturi is still null — Veljko Sekulic, Jun 06 '19 at 13:24
are you using IIdentityServerInteractionService to get it? You don't show code for BuildLoggedOutViewModelAsync — Joe Audette, Jun 06 '19 at 13:44

score 10 · Accepted Answer · answered Jun 14 '19 at 20:17

You are not supposed to set the uri manually. Actually the default logout method from the IdentityServer samples works fine.

When you try the 3_ImplicitFlowAuthentication sample project, you'll see PostLogoutRedirectUri is not null and the redirection works (but not automatically).

The reason why PostLogoutRedirectUri is null in your case is probably because the id_token is not preserved. In MvcClient.Startup make sure you add this line:

options.SaveTokens = true;

That will preserve the tokens in a cookie.

In order to automatically redirect back to the client, make a few adjustments to the sample code. In IdentityServer AccountOptions set

AutomaticRedirectAfterSignOut = true;

In the AccountController.Logout method add the following lines:

if (vm.AutomaticRedirectAfterSignOut && 
               !string.IsNullOrWhiteSpace(vm.PostLogoutRedirectUri))
    return Redirect(vm.PostLogoutRedirectUri);

Just before the last line:

return View("LoggedOut", vm);

When you run the sample again you should see that the user is now automatically returned to the client after logout.

Thanks for the answer! I did all that you said but it still redirects me to identity server, and when i debug vm.PostLogoutRedirectUri is still null. — Veljko Sekulic, Jun 17 '19 at 09:37
Try `PostLogoutRedirectUris = { "http://localhost:56582/signout-callback-oidc" }`. — , Jun 17 '19 at 11:51

How to redirect user to client app after logging out from identity server?

1 Answers1

Linked