IdentityServer4 logout

Question

I am having an issue where I cannot seem to get my Identity Server logout to show the confirmation first. I downloaded the source code for IdentityServer4 from github and f

Answer 1

I'd recommend implementing the prompt in the client app and then redirecting to endsession when that is complete.

Answer 2

There is no client attribute to control this.

When logging out the client application calls the IdentityServer4 End Session Endpoint.

The signout prompt can be bypassed when a client sends the original id_token. This is passed in as the id_token_hint parameter.

In addition, it indicates if the request for the sign-out has been authenticated, and therefore it's safe to no prompt the user for sign-out. per ref

ShowSignoutPrompt Indicates if the user should be prompted for signout based upon the parameters passed to the end session endpoint. Source PDF

NOTE: If you are using the JavaScript OIDC-Client-JS library, the 'signoutRedirect' method will internally check, see _signoutStart method line 354, for the id_token_hint argument or the users id_token. So if you are using this library to log a user off and want to force the logout screen you will have to clear the user.id_token.

Sample section from _signoutStart()

_signoutStart(args = {}, navigator, navigatorParams = {}) {
    ...
    var id_token = args.id_token_hint || user && user.id_token;
    if (id_token) {
        Log.debug("Setting id_token into signout request");
        args.id_token_hint = id_token;
    }
    ...
}

UPDATE:

If you are using IdentityServer4 version 2.x you can use the new class ClientProperty to store key-value pairs. In here you could create a key of "LogoffPromptRequired" and a value of "true" to be used in the client or IdentityServer implementation to determine if the Logg off screen is required.