3

I'm looking for the correct way to sign out a logged in user, when the sign out endpoint is called.

For example, the user logg is using the below method:

var user = await _userManager.Users
    .Include(u => u.UserRoles).ThenInclude(r => r.Role)
    .SingleOrDefaultAsync(x => x.Email == request.EmailAddress);

if (user is null)
{
    ...
}

var result = await _signInManager.CheckPasswordSignInAsync(user, request.Password, false);

if (!result.Succeeded)
{
    ...
}

return user;

Then the user decides to logout:

await _signInManager.SignOutAsync();

This user still can call the method which needs authentication: identityGroup.MapPost(ApiRoutes.Identity.SignOut, SignOutUser).RequireAuthorization();

So my question is, what is the correct way to sing out a user to lose the possiblity to call authorized endpoints?

Program.cs

using API.Data;
using API.Extensions;
using Application;
using DAL;
using DAL.Data;
using Domain.Entities;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.Identity;
using Microsoft.EntityFrameworkCore;

var builder = WebApplication.CreateBuilder(args);
builder.RegisterServices();
builder.Services.ConfigureApplication();
builder.Services.ConfigureDal(builder.Configuration);

builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddCookie();

builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();

builder.Services.AddCors();

    var app = builder.Build();
var scopeFactory = app.Services.GetRequiredService<IServiceScopeFactory>();
using (var scope = scopeFactory.CreateScope())
{
    var context = scope.ServiceProvider.GetRequiredService<DataContext>();
    var roleManager = scope.ServiceProvider.GetRequiredService<RoleManager<AppRole>>();
    var userManager = scope.ServiceProvider.GetRequiredService<UserManager<AppUser>>();
    await context.Database.MigrateAsync();
    await Seed.SeedData(userManager, roleManager);
}

if (app.Environment.IsDevelopment())
{
    app.UseSwagger();
    app.UseSwaggerUI();
}

app.UseHttpsRedirection();

app.UseAuthentication();
app.UseAuthorization();

app.RegisterEndpointDefinitions();

app.UseCors(x => x.AllowAnyHeader()
    .AllowAnyMethod()
    .AllowCredentials()
.WithOrigins("http://localhost:3000"));

app.Run();
Panagiotis Kanavos
  • 120,703
  • 13
  • 188
  • 236
PeterPazmandi
  • 533
  • 10
  • 13
  • You are using Cookies for your authentication so you likely need to use `HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);` to ensure the cookie is removed on signout. There can be issues if you issue a redirect on sign-out. Check https://stackoverflow.com/questions/41122053/httpcontext-authentication-signoutasync-does-not-delete-auth-cookie – Steve Py Aug 16 '23 at 22:14
  • Did not work, without parameter neither, but thanks. – PeterPazmandi Aug 17 '23 at 04:39
  • You are using `JwtBearerDefaults.AuthenticationScheme`, then how about `await HttpContext.SignOutAsync(JwtBearerDefaults.AuthenticationScheme);` ? – Jason Pan Aug 23 '23 at 13:07

0 Answers0