Hope you are doing good!
I am writing to ask for your advice for one of the scenario where we changed sign-on policy → prompt multifactor option from Every sign on to Once per session(PFA screenshot for easy reference). We made this change based upon the feedback received from business team as team was not comfortable to go through MFA (Push/SMS) in every 20mins (application session timeout case). As per firm standards we cannot extend session timeout from 20 mins.
Now after making this change I am not able to logout from the application as every time when I am explicitly trying to logout I am automatically getting logged in to the application and redirected to home screen(added a video to demonstrate logout flow.)
I am using below code for logout :
API Controller:
HttpContext.Current.GetOwinContext().Authentication.SignOut(
CookieAuthenticationDefaults.AuthenticationType,
OpenIdConnectAuthenticationDefaults.AuthenticationType
);
StartUp.cs
RedirectToIdentityProvider = context =>
{
if (context.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
{
var idToken = context.OwinContext.Authentication.User.Claims
.FirstOrDefault(c => c.Type == “id_token”)?.Value;
context.ProtocolMessage.IdTokenHint = idToken;
}
if (context.ProtocolMessage.RequestType == OpenIdConnectRequestType.AuthenticationRequest)
{
if (context.Request.IsAjaxRequest() && context.Response.StatusCode == (int)HttpStatusCode.Unauthorized)
{
context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
context.HandleResponse();
}
}
return Task.FromResult(true);
},
