Is there a way to redirect the to a URL on OpenIdConnect signout?

[paulomorgado]

When the request hits the endpoint configured in OpenIdConnectOptions.RemoteSignoutPath, it doesn't invoke the remote authority and doesn't redirect to the endpoint defined in OpenIdConnectOptions.SignedOutRedirectUri because OpenIdConnectOptions.SignedOutCallbackPath is not being invoked.

I've set up authentication as:

Startup.ConfigureServices

services.AddAuthentication(sharedOptions =>
{
    sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    sharedOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddOpenIdConnect(options =>
{
    this.Configuration.Bind("Security:OpenIdConnect", options);
})
AddCookie();

appsettings.json

{
  "Security": {
    "OpenIdConnect": {
      "Authority": "<redacted>",
      "ClientId": "<redacted>",
      "CallbackPath": "/auth/signin-callback-oidc",
      "RemoteSignOutPath": "/auth/signout-oidc",
      "SignedOutCallbackPath": "/auth/signout-callback-oidc",
      "SignedOutRedirectUri": "/",
      "UseTokenLifetime": true,
      "RequireHttpsMetadata": false
    }
}

According to the OpenIdConnectOptions Class:

SignedOutRedirectUri

The uri where the user agent will be redirected to after application is signed out from the identity provider. The redirect will happen after the SignedOutCallbackPath is invoked.

RemoteSignOutPath

Requests received on this path will cause the handler to invoke SignOut using the SignOutScheme.

What am I missing here?

[Tratcher]

Can you show the config as well?

RemoteSignoutPath is unrelated to these other settings. It's only used if a different app requested a signout from the IDP and the IDP chooses to notify your app to also signout. There are no redirects in this scenario, nor should it invoke the remote authority, it should only delete the local auth cookie.

Could you back up and summarize what you're trying to acomplish?

[paulomorgado]

@Tratcher, I've updated the question.

[Tratcher]

RemoteSignOutPath

Requests received on this path will cause the handler to invoke SignOut using the SignOutScheme.

That means it will call signout for the auth cookie (OIDC's SignOutScheme), not for OIDC. This is an isolated action for a specific flow, it is unrelated to any of the other properties.

Those other properties are only used if the application explicitly calls SignOutAsync for OpenIdConnect. OIDC will redirect to the identity provider, return to SignedOutCallbackPath for some clenaup, and then redirect to SignedOutRedirectUri.

[paulomorgado]

I don't think I understand it.

When I navigate to /auth/signout-oidc OpenIdConnectHandler.HandleRequestAsync is invoked and then OpenIdConnectHandler.HandleRemoteSignOutAsync, but the authority is not and doesn't callback to /auth/signout-callback-oidc.

But, if I navigate to /auth/signout-callback-oidc OpenIdConnectHandler.HandleRequestAsync is invoked and then OpenIdConnectHandler.HandleSignOutCallbackAsync, but it doesn't redirect beacause it's missing query arguments.

[Tratcher]

(Resolved offline)

[paulomorgado]

this is the correct way to sign out.