Asp.Net UseOktaMvc logout

I’m working on an ASP.Net MVC application and can’t get logout to work. How do I specify the client_id and id_token_hint when using UseOktaMvc? I’ve seen the other post about having an event handler when using app.UseOpenIdConnectAuthentication, but I can’t figure out how to specify an event handler when using UseOktaMvc.

Startup.cs

public class Startup
	{
		public void Configuration(IAppBuilder app)
		{
			ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls12 | SecurityProtocolType.Tls;

			app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

			app.UseCookieAuthentication(new CookieAuthenticationOptions());

			app.UseOktaMvc(new OktaMvcOptions()
			{
				OktaDomain = ConfigurationManager.AppSettings["okta:OktaDomain"],
				ClientId = ConfigurationManager.AppSettings["okta:ClientId"],
				ClientSecret = ConfigurationManager.AppSettings["okta:ClientSecret"],
				AuthorizationServerId = ConfigurationManager.AppSettings["okta:AuthorizationServerId"],
				RedirectUri = ConfigurationManager.AppSettings["okta:RedirectUri"],
				PostLogoutRedirectUri = ConfigurationManager.AppSettings["okta:PostLogoutRedirectUri"],
				GetClaimsFromUserInfoEndpoint = true,
				Scope = new List<string> { "openid", "profile", "email" },
			});
		}
	}

Login method:

	if (!HttpContext.User.Identity.IsAuthenticated)
			{
				HttpContext.GetOwinContext().Authentication.Challenge(
					OktaDefaults.MvcAuthenticationType);
				return new HttpUnauthorizedResult();
			}

I’ve tried specifying them as follows in the signout but that doesn’t work -

            props.Dictionary.Add("id_token_hint", SessionManager.OktaInfo.IdToken);
                props.Dictionary.Add("client_id", SessionManager.OktaInfo.OktaClientId);

                var authTypes = new string[] { CookieAuthenticationDefaults.AuthenticationType, OktaDefaults.MvcAuthenticationType };
                HttpContext.GetOwinContext().Authentication.SignOut(props, authTypes);

Our .NET middleware should be handling log out for you. Can you try out one of our sample.NET applications to see if they work? Here’s how it handles logout:

public ActionResult Logout()
        {
            if (HttpContext.User.Identity.IsAuthenticated)
            {
                HttpContext.GetOwinContext().Authentication.SignOut(
                    CookieAuthenticationDefaults.AuthenticationType,
                    OktaDefaults.MvcAuthenticationType);
            }

            return RedirectToAction("Index", "Home");
        }```

I first downloaded the example okta-aspnet-mvc-example, built and ran it. Here’s what happens:

  1. Click Login
  2. Get sent to Okta to login
  3. Click Logout
  4. Click Login
  5. You do NOT get get sent back to Okta, the code continues.

So it appears that you never really got logged out. However the example code doesn’t generate the errors about needing client_id or id_token_hint.

Does the middleware rely on ASP.Net session id remaining the same from the initial login request through sign out? If so that will be a problem for us, because for security reasons we generate new ASP session Ids between requests.

Do you see a /logout request happening if you look at the network calls made by the app?

Hi,
You can test this with the okta-aspnet-mvc-example.

  1. Click login
  2. The Account controller login method is invoked. The method detects that the user isn’t authenticated and the redirect to Okta occurs.
  3. After logging in, click Log Out. The logout method detects the user is authenticated and calls the Owin signout method.
  4. Click Login. The login method believes that you are still authenticated and doesn’t redirect you to Okta to sign in again.