IdentityServer4 back-channel logout problem

by

Using IdentityServer4 on ASP.NET Core 2.
Two clients relevant for this use case using ASP.NET MVC5.

EDIT: Using cookies for authentication, implicit flow.

Using the back-channel sign out like this:
* There are 4 applications involved – two clients (let’s called them client A and client B), IdentityServer instance, and a state server to keep track of back-channel sign out requests.

  1. Client A initiates the sign out, invalidates the sign-in cookie.
  2. Client A user gets redirected to IdentityServer’s /account/logout with a correct id_token.
  3. IdentityServer invalidates the sign-in cookie and calls back-channel sign out actions for all signed-in clients.
  4. Back-channel sign out action of client B validate the request and notify the state server of the log-out request.
  5. When the next request towards the client B is made, that client queries the state server and obtains information about an outstanding sign out request, which causes it to invalidate the sign-out cookie, thus resulting in successful sign out.

The state server keeps track of the two parameters: sub and sid claims from id_token.

I am having the following problem:

When users sign in to a client A, then navigate to the client B and then perform the sign out there, client B is signed out, but client A not until the next request towards it is made. So if users now decide to sign in to client B with another (or the same, doesn’t matter) account and only then navigate to client A, client A will initiate the sign out because there was an outstanding sign out request waiting on the state server, disregarding the fact that users have signed in again in the meantime.

Does anyone have an idea on how to prevent this?

Contents hide
Answers:
Method 1

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

Following your scenario, I can’t see any problem when your client A performs a “lazy sign-out” which triggers a new challenge to IdSrv, finishing with a new token and a new cookie.
The main point should be not to trigger a (cyclic) single sign-out on each particular “lazy sign out”.


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x