Single Sign Out in IdentityServer4 with Back Channel Logout
As we all know IdentityServer is built with the concept of the central identity provider and it is supporting single sign-on by default as part of its main feature, but the single sign out is not coming as a part of inbuilt feature till IdentityServer3. Now they have added support for front-channel and back-channel specification for server-side clients in IdentityServer4.
During the journey to set up and work with Identityserver4, sometimes it is difficult to understand that how these flow works and enable single sign out? Here, I am going to explain how to setup it for Asp.net core web application client and how it works when multiple clients are there and we need to log out from all the applications when one client application initiate sign out request.
1) Add Back Channel Uri to client configurations like shown below:
This will configure Back Channel Uri for the client in identity server and it is called after client application initiates log out.
When any client initiates log out, first its own logout method is called, which is shown below.
This is the normal log out URL of the client set up as logout link.
It will consecutively call identity server logout method and if you try to inspect model to be rendered on loggedOut view inside Identity server Logout method you will be able to see SignOutIframeUrl like shown below.
This SignOutIframeUrl endpoint will call BackChannelLogoutUri of all back channel clients which are signed in and trigger sign out request on all of them.
2) BackChannelLogoutUri setup and reject application cookies on logout in client application:
Now create two services CookieEventHandler and LogoutUserManager and add it in the startup.cs like shown below:
Here, LogoutUserManager is added as the singleton as we want to manage data of the users for which BackChannelLogoutUri is called for Logout. Based on this user data we will reject its cookie using CookieEventHandler and logged out that user from the application.
Add LogoutUserManager and CookieEventHandler like shown below:
Now Add LogoutController and setup BackChannelLogoutUri method which is being called from Identity Server when any of the clients initiates log out. This method is invoked by IdentityServer4 using the server to server communication to send sign out message as part of single sign out.
In this method, response headers are added as it is part of OpenId Connect Front-Channel specifications and after that token is validated and got claims for the user. Now user claims are added in LogoutUsers add method.
The user is not logged out yet, but now when we try to access any functionality of the application for the user, it will first call ValidatePrincipal() method and we have already added users in LogoutUsers, so it will reject principal and signed out the user from the application.
You can check ValidateLogoutToken code is shown below.
To summarise, we understood how to configure back channel logout functionality of IdentityServer4, how it works by triggering the server to server requests and achieved single sign out among various clients by configuring back channel logout in each of them.
Posted by: Riddhi Dhingani