Logging out from Identity Server 4 won't log out from Client

[jculverwell]

I believe this is the same issue as 3153 that was reported a couple of weeks ago. I am using this quickstart lhttps://github.com/IdentityServer/IdentityServer4.Samples/blob/master/Quickstarts/Combined_AspId_and_EFStorage/ and when you logout it is not also logging out of the client SPA. I believe the issue is that the link to logout on the quickstart does not include the logoutid. More detail below....

Looks like the issue is that in the quickstarts layout https://github.com/IdentityServer/IdentityServer4.Samples/blob/master/Quickstarts/Combined_AspId_and_EFStorage/src/IdentityServer/Views/Shared/_Layout.cshtml

the link to the logout controller does not pass the logoutId argument

 @if (!string.IsNullOrWhiteSpace(name))
            {
                <ul class="nav navbar-nav">
                    <li class="dropdown">
                        <a href="#" class="dropdown-toggle" data-toggle="dropdown">@name <b class="caret"></b></a>
                        <ul class="dropdown-menu">
                            <li><a asp-action="Logout" asp-controller="Account">Logout</a></li>
                        </ul>
                    </li>
                </ul>
            }

...which the AccountController expects

https://github.com/IdentityServer/IdentityServer4.Samples/blob/master/Quickstarts/Combined_AspId_and_EFStorage/src/IdentityServer/Quickstart/Account/AccountController.cs

        public async Task<IActionResult> Logout(string logoutId)
        {
            // build a model so the logout page knows what to display
            var vm = await BuildLogoutViewModelAsync(logoutId);

            if (vm.ShowLogoutPrompt == false)
            {
                // if the request for logout was properly authenticated from IdentityServer, then
                // we don't need to show the prompt and can just log the user out directly.
                return await Logout(vm);
            }

            return View(vm);
        }

As a result vm.TriggerExternalSignout is false which means the extenal signout does not get called.

/// Handle logout page postback
        /// </summary>
        [HttpPost]
        [ValidateAntiForgeryToken]
        public async Task<IActionResult> Logout(LogoutInputModel model)
        {
            // build a model so the logged out page knows what to display
            var vm = await BuildLoggedOutViewModelAsync(model.LogoutId);

            if (User?.Identity.IsAuthenticated == true)
            {
                // delete local authentication cookie
                await _signInManager.SignOutAsync();

                // raise the logout event
                await _events.RaiseAsync(new UserLogoutSuccessEvent(User.GetSubjectId(), User.GetDisplayName()));
            }

            // check if we need to trigger sign-out at an upstream identity provider
            if (vm.TriggerExternalSignout)
            {
                // build a return URL so the upstream provider will redirect back
                // to us after the user has logged out. this allows us to then
                // complete our single sign-out processing.
                string url = Url.Action("Logout", new { logoutId = vm.LogoutId });

                // this triggers a redirect to the external provider for sign-out
                return SignOut(new AuthenticationProperties { RedirectUri = url }, vm.ExternalAuthenticationScheme);
            }

            return View("LoggedOut", vm);
        }

[jculverwell]

Sorry, I got this completely wrong. This is not an issue. I was confusing the signing out of the provider which the client. As it happens my provider Amazon does not support this.

[LindaLawton]

I should probably add a note in the documentation that most authorization providers do not allow third party applications to log them out. Google doesn't either.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.