oidc - listen signed out event for the asp.net mvc with spa application

Question

Expecting the same kind of feature for the application. https://github.com/IdentityModel/oidc-client-js/issues/194

Current project is implemented with asp.net mvc (spa). For the login flow, the asp.net identity has been used (SSO). HttpContext.GetOwinContext().Authentication.Challenge(authenticationTypes)

Whenever user has been logout, all the application which is using SSO will be logged out. The two application which is purely angular based listened the following event. So whenever user has been logout from any other application, the event will be fired and the logout can be handled in the current application.

const um = new oidc.UserManager(settings);
 um.events.addUserSignedOut(() => {
            console.log(`User Signed Out - Event triggred at ${new Date()}`);
        });

But the project which is using mvc and spa, need to be handled in the same event. But the event is not fired.

On investigating the issue, The following code has been used in pure SPA application,

const um = new oidc.UserManager(settings);
um.signinRedirectCallback().then((user) => {
});

This creates a iframe in the background which checks the user login status without interrupting the user.

But for the mvc with angular, which is using cookie based authentication using the following to authenticate the user. Since I am doing this approach, the above addUserSignedOut event is not firing anyway.

HttpContext.GetOwinContext().Authentication.Challenge(authenticationTypes)

What is missing in the current approach for addUserSignedOut event need to be fired?

Answer 1

SINGLE LOGOUT MECHANISMS

That's the behaviour from the OIDC Session Management specification, and it must be implemented in the browser. Server side tech stacks such as ASP.Net have therefore never supported it, and instead can potentially use Back Channel Logout. All forms of single logout are summarised in this Curity article.

USE OF COOKIES

The SPA solution using the session_state parameter relies on the Authorization Server's SSO cookie and this is no longer fully reliable, due to recent browser restrictions. Eg in the Safari browser, within your app's web origin, this cookie will usually be considered third party, and not sent, other than in full screen redirects. Other browsers are expected to also implement thus behaviour.

SUMMARY

It can be difficult or impossible to get ideal single logout behaviour these days. End users do not typically expect to be signed out of all apps at once though, so it is usually manageable, and not considered a security vulnerability.