AspNetCore.Docs icon indicating copy to clipboard operation
AspNetCore.Docs copied to clipboard

Published 20 hours ago verified publisher icon dotnet

Sign out

Open chentiangemalc opened this issue 1 year ago • 2 comments

Description

This works well, but should would be beneficial to also give info how to setup sign out correctly, as this seems more complicated to do correctly (or at least for those of us who have never worked with this before), with all kinds of different advice how to achieve it found online but none that work for me. i.e. for example I use HttpContext.SignOutAsync(); and on RedirectToPage User.Identity.IsAuthenticated is set to false as expected which is great. But then reloading any URL with [Authorize] suddenly automatically logged back in again without showing the logon prompt, and breakpoints on my login URLs are not hit. in this case using google auth with

builder.Services.AddAuthentication(options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = GoogleDefaults.AuthenticationScheme; // Change the default challenge scheme to Google
    
})
.AddCookie(options =>
{
    options.LoginPath = "/Account/Login"; // Specify your login page path
                                          // Add other cookie authentication options as needed
})
.AddGoogle(options =>
{
    options.ClientId = googleClientId;
    options.ClientSecret = googleClientSecret;
    
});

Page URL

https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/google-logins?view=aspnetcore-8.0

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/security/authentication/social/google-logins.md

Document ID

747a179e-90b7-de07-e270-82414963048a

Article author

@Rick-Anderson

Associated WorkItem - 198662

chentiangemalc avatar Jan 05 '24 21:01 chentiangemalc

@Tratcher in #6180 you and @blowdart seem to indicate this is not fixable, at least for FB. On SO, HttpContext.Authentication.SignOutAsync does not delete auth cookie was asked 7 years ago and viewed 45K times.

In this comment, @HaoK says: basically don't redirect after a sign out call

Rick-Anderson avatar Jan 10 '24 01:01 Rick-Anderson

Yes, this is a protocol limitation of OAuth2. When you sign out you only remove the local cookie, you do not signout from the remote provider (Google/Facebook, etc.). Accessing an [Authorize]'d page causes you to redirect to the remote provider, and since you're still signed in there, you return immediately.

The only solution is to use the OpenIdConnect protocol instead of OAuth2, if your provider supports it (Google should, Facebook doesn't). That allows for signing out of both the local application and the remote provider. Something like this: https://developers.onelogin.com/blog/how-to-use-openid-connect-authentication-with-dotnet-core

Tratcher avatar Jan 10 '24 01:01 Tratcher