Asp.Net OpenID Logout Issues

Questions OAuth/OIDC
1

Hello,

I’m trying to implement logout in my Asp.Net application. My code is based on quick start from here:
okta-aspnet-mvc-example/OktaAspNetExample at master · oktadev/okta-aspnet-mvc-example · GitHub

When I initiate Okta logout I’m geting next issues:

  1. Okta API /logout endpoint does not support CORS so browser blocks any requests.
  2. After adding CORS plugin to Chrome I’m getting “Not found: Resource not found” expection in response (I can see it in browser console). However I can delete current session using RESTED plugin (DELETE https://dev-522077.oktapreview.com/api/v1/sessions/me).

Please help, thanks in advance.

2

Normal OpenID Connect Flow does not work because CORS is not supported.
To delete current session I have to use /api/v1/sessions/me endpoint (CORS supported).
Client side script looks like:
$.ajax({
url: ‘https://dev-{yourId}.oktapreview.com/api/v1/sessions/me’,
type: ‘DELETE’,
xhrFields: { withCredentials: true },
success: function(result) {
window.location.reload();
}
});

The problem was that cookies were not attached to the request. “xhrFields: { withCredentials: true }” solved the issue.

3

Assuming your application is set up like the example you linked to, you should log out by calling:

HttpContext.GetOwinContext().Authentication.SignOut(
    CookieAuthenticationDefaults.AuthenticationType, 
    OpenIdConnectAuthenticationDefaults.AuthenticationType);

This does two things:

  • Delete the aspnet cookie that is keeping track of the local session
  • Redirects to Okta to delete the user’s session in Okta

Okta will redirect back to your app on the PostLogoutRedirectUri you set in Startup.cs.

4

Hi Nate,

I do logout by calling:
HttpContext.GetOwinContext().Authentication.SignOut(
CookieAuthenticationDefaults.AuthenticationType,
OpenIdConnectAuthenticationDefaults.AuthenticationType);

But this is not related to the issues described in the first message (especially CORS).

Regards,
Yury

5

@Urik Sorry for the delay. Did you get this working?

OIDC logout from aspnetcore shouldn’t need CORS. If you get CORS errors doing a logout (unless you are working with a single-page app), something usually isn’t configured right.

6

Hi Nate,

I know this post is a bit old but I have an asp.net web site and have configured it following the web forms example.

However, when I log out, the cookie seems to be removed but when I’m redirected to okta, I receive a “bad result…invalid Id token” error.

Option 1) seems to remove the cookie but does nothing else.

Context.GetOwinContext().Authentication.SignOut(CookieAuthenticationDefaults.AuthenticationType);

Option 2)

does redirect to okta but presents the invalid id token error

Context.GetOwinContext().Authentication.SignOut( CookieAuthenticationDefaults.AuthenticationType, OpenIdConnectAuthenticationDefaults.AuthenticationType);

Any help would be greatly appreciated!

7

I’m assuming that either:

The token isn’t getting returned from okta due to potentially not requesting it correctly in startup.cs

It’s not getting saved due to an error or omission within startup.cs

It’s not getting attached and sent to okta during the logout redirect

8

Hi Nate,

I know this post is a bit old but I have an Asp.net MVC web site.

When I try to log out within 20 minutes or so it redirects to the postlogouturl configured (i.e OKTA login page). But when I try to logout after or around 60 minutes of session it navigates to the OKTA url and re-logs into the application.

Any help would be greatly appreciated!

9

HttpContext.GetOwinContext().Authentication.SignOut(
CookieAuthenticationDefaults.AuthenticationType,
OpenIdConnectAuthenticationDefaults.AuthenticationType);

Used this code but not able to logout from OKTA admin. Please help. What code should I use.