automatically pass signout callback url when doing fed signouts #2613

source/Core/Configuration/AuthenticationOptions.cs

@@ -94,6 +94,14 @@ public AuthenticationOptions()
         /// </value>
         public bool EnableSignOutPrompt { get; set; }
 
+        /// <summary>
+        /// Gets or sets a value indicating whether IdentityServer automatically sends a callback URL for federated post-logout redirects. Defaults to false.
+        /// </summary>
+        /// <value>
+        /// <c>true</c> if callback URL sent for federated post-logout redirects; otherwise, <c>false</c>.
+        /// </value>
+        public bool EnableAutoCallbackForFederatedSignout { get; set; }
+
         /// <summary>
         /// Gets or sets a value indicating whether IdentityServer automatically redirects back to a validated post_logout_redirect_uri passed to the signout endpoint. Defaults to false.
         /// </summary>

source/Core/Constants.cs

@@ -740,10 +740,11 @@ public static class OwinEnvironment
 
         public static class Authentication
         {
-            public const string SigninId                 = "signinid";
-            public const string SignoutId                = "id";
-            public const string KatanaAuthenticationType = "katanaAuthenticationType";
-            public const string PartialLoginRememberMe = "idsvr:rememberme";
+            public const string SigninId                    = "signinid";
+            public const string SignoutId                   = "id";
+            public const string SignoutStateParamName       = "state";
+            public const string KatanaAuthenticationType    = "katanaAuthenticationType";
+            public const string PartialLoginRememberMe      = "idsvr:rememberme";
         }
 
         public static class LocalizationCategories

source/Core/Endpoints/AuthenticationController.cs

@@ -554,8 +554,14 @@ public async Task<IHttpActionResult> ResumeLoginFromRedirect(string resume)
 
         [Route(Constants.RoutePaths.Logout, Name = Constants.RouteNames.LogoutPrompt)]
         [HttpGet]
-        public async Task<IHttpActionResult> LogoutPrompt(string id = null)
+        public async Task<IHttpActionResult> LogoutPrompt(string id = null, string state = null)
         {
+            if (id == null)
+            {
+                // accept state in place of id for signout cleanups
+                id = state;
+            }
+
             if (id != null && id.Length > MaxSignInMessageLength)
             {
                 Logger.Error("Logout prompt requested, but id param is longer than allowed length");
@@ -627,7 +633,7 @@ public async Task<IHttpActionResult> Logout(string id = null)
             Logger.Info("Clearing cookies");
             context.QueueRemovalOfSignOutMessageCookie(id);
             context.ClearAuthenticationCookies();
-            context.SignOutOfExternalIdP();
+            context.SignOutOfExternalIdP(id);
 
             string clientId = null;
             var message = signOutMessageCookie.Read(id);

source/Core/Extensions/InternalOwinExtensions.cs

@@ -484,7 +484,7 @@ public static void ClearAuthenticationCookies(this IOwinContext context)
                 Constants.PartialSignInAuthenticationType);
         }
 
-        public static void SignOutOfExternalIdP(this IOwinContext context)
+        public static void SignOutOfExternalIdP(this IOwinContext context, string signOutId)
         {
             if (context == null) throw new ArgumentNullException("context");
 
@@ -496,7 +496,18 @@ public static void SignOutOfExternalIdP(this IOwinContext context)
                 var idp = user.GetIdentityProvider();
                 if (idp != Constants.BuiltInIdentityProvider)
                 {
-                    context.Authentication.SignOut(idp);
+                    var authProps = new AuthenticationProperties();
+                    var options = context.ResolveDependency<IdentityServerOptions>();
+
+                    if (options.AuthenticationOptions.EnableAutoCallbackForFederatedSignout)
+                    {
+                        authProps.RedirectUri = context.Environment.GetIdentityServerLogoutUrl().EnsureTrailingSlash();
+                        if (signOutId != null)
+                        {
+                            authProps.RedirectUri = authProps.RedirectUri.AddQueryString(Constants.Authentication.SignoutStateParamName + "=" + signOutId);
+                        }
+                    }
+                    context.Authentication.SignOut(authProps, idp);
                 }
             }
         }

source/Host.Configuration/IdentityServerExtension.cs

@@ -65,21 +65,8 @@ public static IAppBuilder UseIdentityServer(this IAppBuilder app)
                     AuthenticationOptions = new AuthenticationOptions
                     {
                         IdentityProviders = ConfigureIdentityProviders,
-                        EnablePostSignOutAutoRedirect = true
+                        EnableAutoCallbackForFederatedSignout = true
                     },
-
-                    //LoggingOptions = new LoggingOptions
-                    //{
-                    //    EnableKatanaLogging = true
-                    //},
-
-                    //EventsOptions = new EventsOptions
-                    //{
-                    //    RaiseFailureEvents = true,
-                    //    RaiseInformationEvents = true,
-                    //    RaiseSuccessEvents = true,
-                    //    RaiseErrorEvents = true
-                    //}
                 };
 
                 coreApp.UseIdentityServer(idsrvOptions);
@@ -132,33 +119,7 @@ public static void ConfigureIdentityProviders(IAppBuilder app, string signInAsTy
                 Authority = "https://login.windows.net/4ca9cb4c-5e5f-4be9-b700-c532992a3705",
                 ClientId = "65bbbda8-8b85-4c9d-81e9-1502330aacba",
                 RedirectUri = "https://localhost:44333/core/aadcb",
-                PostLogoutRedirectUri = "https://localhost:44333/core/aad-signout",
-                Notifications = new OpenIdConnectAuthenticationNotifications
-                {
-                    RedirectToIdentityProvider = n =>
-                    {
-                        if (n.ProtocolMessage.RequestType == Microsoft.IdentityModel.Protocols.OpenIdConnectRequestType.LogoutRequest)
-                        {
-                            var signOutMessageId = n.OwinContext.Environment.GetSignOutMessageId();
-                            if (signOutMessageId != null)
-                            {
-                                n.OwinContext.Response.Cookies.Append("aad.signout.state", signOutMessageId);
-                            }
-                        }
-                        return Task.FromResult(0);
-                    }
-                }
             };
-            app.Map("/aad-signout", signout =>
-            {
-                signout.Run(async ctx =>
-                {
-                    var state = ctx.Request.Cookies["aad.signout.state"];
-                    ctx.Response.Cookies.Append("aad.signout.state", ".", new Microsoft.Owin.CookieOptions { Expires = DateTime.UtcNow.AddYears(-1) });
-                    await ctx.Environment.RenderLoggedOutViewAsync(state);
-                });
-            });
-
             app.UseOpenIdConnectAuthentication(aad);
 
             var adfs = new WsFederationAuthenticationOptions