Owin openidconnect SignOut sending id_token_hint without active session
Hey!, I've a solution integrating c# Microsoft.Owin.Security.OpenIdConnect last version (4.2.2), .net Framework 4.6.1 (mvc project) and I've a question.
My solution closes correctly openid on keykloak when I've a session active, the problem is that I need logout on identity provider without active .net session (cookies not present) sending id_token_hint:
http://mykeycloak.com/realms/realm/protocol/openid-connect/logout
?post_logout_redirect_uri=https%3A%2F%2Flocalhost%3A44332%2FFederation%2FLogoutConsume
&id_token_hint=XXXXX
&x-client-SKU=ID_NET461
&x-client-ver=5.3.0.0
The problem is that id_token_hint doesn't be sent:
http://mykeycloak.com/realms/realm/protocol/openid-connect/logout
?post_logout_redirect_uri=https%3A%2F%2Flocalhost%3A44332%2FFederation%2FLogoutConsume
&x-client-SKU=ID_NET461
&x-client-ver=5.3.0.0
I tried create a session before call signout code:
public ActionResult Logout()
{
...
if(!Request.IsAuthenticated)
{
var identity = new ClaimsIdentity(new List<Claim>
{
new Claim("UserId", "123", ClaimValueTypes.Integer32),
new Claim("id_token", "valid_id_token")
}, "Custom");
HttpContext.User = new ClaimsPrincipal(identity);
}
if (Request.IsAuthenticated)
{
}
HttpContext.GetOwinContext().Authentication.SignOut(new AuthenticationProperties { RedirectUri = "validRedirectUrl"}, "validIdpId");
return new HttpStatusCodeResult(HttpContext.GetOwinContext().Response.StatusCode);
}
I've gooten the second if (Request.IsAuthenticated) to be true, the problem is that keeps without sending id_token_hint.
I've tried save on cache the ClaimsIdentity object on the event SecurityTokenValidated:
OpenIdConnectAuthenticationNotifications notifications = new OpenIdConnectAuthenticationNotifications()
{
SecurityTokenValidated = context =>
{
...
ObjectCache cache = MemoryCache.Default;
CacheItemPolicy policy = new CacheItemPolicy();
policy.SlidingExpiration = TimeSpan.FromMinutes(60);
cache.Set("identity", context.AuthenticationTicket.Identity, policy);
//Sign in using the created identity
context.OwinContext.Authentication.SignIn(context.AuthenticationTicket.Identity);
return Task.CompletedTask;
},
Getting it on logout:
ObjectCache cache = MemoryCache.Default;
ClaimsIdentity identity = cache.Get("identity") as ClaimsIdentity;
HttpContext.User = new ClaimsPrincipal(identity);
But problem persists.
How can signout without active session or creating a temporally one with strictly needed data?
Thanks!