I'm executing a GET to
GET https://localhost:44301/connect/endsession?id_token_hint=eyJhbGciO...GzHCPw
as suggested in the docs for EndSession endpoint.
It seems to work (in a way) because I get a hit on my breakpoint in the method redirected to.
[HttpGet("logout")]
public async Task<IActionResult> LogOut(
[FromQuery] string id_token_hint,
[FromQuery] string post_logout_redirect_uri,
[FromQuery] string session,
[FromQuery] string logoutId)
{
LogoutRequest context = await InteractionService
.GetLogoutContextAsync(logoutId);
...
}
Here, I'm getting a value in logoutId (unless I skip passing the identity token, resulting i null), while the other variables are not set, staying as null. At first, I was happy to see that context wasn't null. However, I soon learned that it's set poorly, despite following stuff that work.
I can see the client's name and ID (which seems to be correct). However, everything else is null except for the array Parameters, which contains zero elements.
I've made sure to pass in the identity token, not access token. I've also tried the full version with all the parameters described in the docs (trying various redirect URLs both mentioned in my configuration and others). The same (mis)behavior followed, though.
GET https://localhost:44301/connect/endsession
?id_token_hint=eyJhbGciO...GzHCPw
&post_logout_redirect_uri=https://get_the_duck.off
&session=1337
Since I'm getting the breaky hit and recieve some value as logoutId parsable by the interaction service, I feel that it's wired up correctly (which is expected since the security as such works as expected). However, my application seem to be a stalker and just won't let them go, so to speak. I suspect, there's some tiny detail that the docs don't mention (or obscures in a formulation I don't comprehend). (Googling gave nothing I recognized as relevant.)
Proof of effort (along a bunch of blogs on security, not dedicated to the signout specifically).
See Question&Answers more detail:
os 
