Asp.Net OpenID Logout Issues

dotnet

#1

Hello,

I’m trying to implement logout in my Asp.Net application. My code is based on quick start from here:
https://github.com/oktadeveloper/okta-aspnet-mvc-example/tree/master/OktaAspNetExample

When I initiate Okta logout I’m geting next issues:

  1. Okta API /logout endpoint does not support CORS so browser blocks any requests.
  2. After adding CORS plugin to Chrome I’m getting “Not found: Resource not found” expection in response (I can see it in browser console). However I can delete current session using RESTED plugin (DELETE https://dev-522077.oktapreview.com/api/v1/sessions/me).

Please help, thanks in advance.


#2

Normal OpenID Connect Flow does not work because CORS is not supported.
To delete current session I have to use /api/v1/sessions/me endpoint (CORS supported).
Client side script looks like:
$.ajax({
url: ‘https://dev-{yourId}.oktapreview.com/api/v1/sessions/me’,
type: ‘DELETE’,
xhrFields: { withCredentials: true },
success: function(result) {
window.location.reload();
}
});

The problem was that cookies were not attached to the request. “xhrFields: { withCredentials: true }” solved the issue.


#3

Assuming your application is set up like the example you linked to, you should log out by calling:

HttpContext.GetOwinContext().Authentication.SignOut(
    CookieAuthenticationDefaults.AuthenticationType, 
    OpenIdConnectAuthenticationDefaults.AuthenticationType);

This does two things:

  • Delete the aspnet cookie that is keeping track of the local session
  • Redirects to Okta to delete the user’s session in Okta

Okta will redirect back to your app on the PostLogoutRedirectUri you set in Startup.cs.


#4

Hi Nate,

I do logout by calling:
HttpContext.GetOwinContext().Authentication.SignOut(
CookieAuthenticationDefaults.AuthenticationType,
OpenIdConnectAuthenticationDefaults.AuthenticationType);

But this is not related to the issues described in the first message (especially CORS).

Regards,
Yury


#5

@Urik Sorry for the delay. Did you get this working?

OIDC logout from aspnetcore shouldn’t need CORS. If you get CORS errors doing a logout (unless you are working with a single-page app), something usually isn’t configured right.