Infer sign out scheme when using external identity providers and asp.net identity

src/AspNetIdentity/IdentityServerBuilderExtensions.cs

@@ -10,6 +10,8 @@
 using Duende.IdentityServer.AspNetIdentity;
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Options;
+using Duende.IdentityServer.Configuration;
 
 namespace Microsoft.Extensions.DependencyInjection;
 
@@ -81,6 +83,8 @@ public static IIdentityServerBuilder AddAspNetIdentity<TUser>(this IIdentityServ
         builder.AddResourceOwnerValidator<ResourceOwnerPasswordValidator<TUser>>();
         builder.AddProfileService<ProfileService<TUser>>();
 
+        builder.Services.AddSingleton<IPostConfigureOptions<IdentityServerOptions>, UseAspNetIdentityCookieScheme>();
+
         return builder;
     }
 

src/AspNetIdentity/PostConfigureIdentityServerOptions.cs

@@ -0,0 +1,40 @@
+using Duende.IdentityServer.Configuration;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Options;
+
+namespace Duende.IdentityServer.AspNetIdentity;
+
+/// <summary>
+/// Identity server options configuration
+/// </summary>
+public class UseAspNetIdentityCookieScheme : IPostConfigureOptions<IdentityServerOptions>
+{
+    private readonly IOptions<Microsoft.AspNetCore.Authentication.AuthenticationOptions> _authOptions;
+
+    /// <summary>
+    /// ctor
+    /// </summary>
+    /// <param name="authOptions"></param>
+    public UseAspNetIdentityCookieScheme(IOptions<Microsoft.AspNetCore.Authentication.AuthenticationOptions> authOptions)
+    {
+        _authOptions = authOptions;
+    }
+
+    /// <inheritdoc/>
+    public void PostConfigure(string name, IdentityServerOptions options)
+    {
+        // If we are using ASP.NET Identity and the dynamic providers don't have a
+        // sign out scheme set, then we need the dynamic providers to use ASP.NET
+        // Identity's cookie at sign out time. If the sign out scheme is explicitly
+        // set, then we don't override that though.
+
+        if (DefaultAuthSchemeIsAspNetIdentity() &&
+            !options.DynamicProviders.SignOutSchemeSetExplicitly)
+        {
+            options.DynamicProviders.SignOutScheme = IdentityConstants.ApplicationScheme;
+        }
+
+        bool DefaultAuthSchemeIsAspNetIdentity() => 
+            _authOptions.Value.DefaultAuthenticateScheme == IdentityConstants.ApplicationScheme;
+    }
+}

src/IdentityServer/Configuration/DependencyInjection/Options/DynamicProviderOptions.cs

@@ -31,7 +31,24 @@ public class DynamicProviderOptions
     /// <summary>
     /// Scheme for signout. Defaults to the constant IdentityServerConstants.DefaultCookieAuthenticationScheme.
     /// </summary>
-    public string SignOutScheme { get; set; } = IdentityServerConstants.DefaultCookieAuthenticationScheme;
+    public string SignOutScheme 
+    { 
+        get 
+        {
+            return _signOutScheme ?? IdentityServerConstants.DefaultCookieAuthenticationScheme;
+        } 
+        set 
+        {
+            _signOutScheme = value;
+        }
+    }
+
+    private string? _signOutScheme;
+
+    /// <summary>
+    /// Gets a value indicating if the SignOutScheme was set explicitly, either by application logic or by options binding.
+    /// </summary>
+    public bool SignOutSchemeSetExplicitly { get => _signOutScheme != null; }
 
     /// <summary>
     /// Registers a provider configuration model and authentication handler for the protocol type being used.