Bad Request During Sign Out of .NET 7.0 ASP.NET Core Application

samunro · September 1, 2023, 11:41am

I am implementing single-sign-on to Okta based on the following guide.

The guide targets .NET Core 3.1 (as opposed to .NET 7.0 which is what I am using) but it helped with implementing single-sign-on and that seems to be working as expected.

I have implemented single-sign-out as described in point 6. here.

This involved adding a controller action like this.

[HttpPost]
public IActionResult SignOut()
{
return new SignOutResult(
        new[]
        {
        OktaDefaults.MvcAuthenticationScheme,
        CookieAuthenticationDefaults.AuthenticationScheme,
        },
        new AuthenticationProperties { RedirectUri = "/Home/" });
}

I also configured the Okta Application with the Sign-out redirect URIs as described here. See point 9. in the second numbered list.

Enter the Sign-out redirect URIs for both local development, such as http://localhost:xxxx/signout/callback .

When I make a request to the SignOut action on the controller, I can see that the user is being logged out of the cookie authentication scheme in the response. The cookie is set with an expiry in the past.

I can also see that the response redirects to the following URL. Note that I have redacted the Okta domain and state value.

https://dev-XXXXXXXX.okta.com/oauth2/default/v1/logout?post_logout_redirect_uri=https%3A%2F%2Flocalhost%3A7197%2Fsignout%2Fcallback&state=XXXXXXXX&x-client-SKU=ID_NET6_0&x-client-ver=6.21.0.0

The status of the response from that request is 400 Bad Request.

Manipulating the Sign-out redirect URIs in the Okta Application (or even completely removing it) has no effect on the response to this request.

I also tried paring the action down to the following. This did not affect the Bad Request response.

        public IActionResult SignOut()
        {
            return new SignOutResult(
                new[]
                {
                    OktaDefaults.MvcAuthenticationScheme,
                });
        }

I do not see entries in the Okta System Log that are related to these requests.

How can I resolve this issue and get single-sign-out to work as expected?

Is there a more relevant guide for .NET 7.0 that I should be working off?

andrea · September 11, 2023, 8:59pm

I don’t see an id_token_hint included in the /logout redirect, which is likely the cause of this failure.

samunro · September 12, 2023, 10:12am

Thanks @andrea. Is there something special that I would have needed to do with the SignOutResult to ensure that the id_token_hint is included?

Note that we fell back to a generic OpenIDConnect library and it seems to be doing everything that we want it to.

andrea · September 13, 2023, 5:39pm

Hmm… Might want to make sure/see if the ID token is still available when the user is logging out (and that its not getting cleared before you can fetch it!).

I believe I’ve also seen cases where OWIN clears the tokens out of storage after they expire, but before the application’s session expires and before the user may choose to signout of the app. I’m not sure if there is a way to ensure that the ID token itself is persisted specifically for using the /logout endpoint, maybe you can persist it yourself?

Even if the ID Token is expired, the /logout request should still work, as mentioned in our docs:

If the ID token is valid, but expired, and the subject matches the current Okta session, a logout request logs the user out and redirects the browser to the post_logout_redirect_uri.