One frequently requested feature was the ability to redirect back to the client after logging out of IdentityServer. The session management spec describes this in the “RP-initiated logout” section.
While this is a nice convenience feature and seems trivial to implement, there are some security concerns around the validation of the URL to redirect to after logout is done. This feature could be abused for phishing.
The client first has to prove that it is a legitimate client by sending the original identity token that it received back to the logout endpoint. Furthermore you can now register a list of valid redirect URIs for each client. The request looks like this:
/connect/endsession?
id_token_hint=<original_id_token>&
post_logout_redirect_uri=https://client.com&
state=some_state
How do you preserve the id_token? You need to store it somehow – e.g. using in the authentication cookie during SecurityTokenValidated notification when using the Katana OIDC middleware. You can then use the RedirectToIdentityProvider notification to attach it back on logout:
RedirectToIdentityProvider = async n =>
{
// if signing out, add the id_token_hint
if (n.ProtocolMessage.RequestType ==
OpenIdConnectRequestType.LogoutRequest)
{
var idTokenHint =
n.OwinContext.Authentication.User.FindFirst(“id_token”).Value;
n.ProtocolMessage.IdTokenHint = idTokenHint;
}
}
There are various ways how you can specify the post logout redirect URI – through the above event handler, statically on the OpenIdConnectAuthenticationOptions, or via the RedirectUri property on the AuthenticationProperties when calling IAuthenticationManager.SignOut.
See this sample here. HTH.
leastprivilege.com 
What is required on the Identity Server to make this work? For example, using the ASPNET Identity example in GitHub (with some reconfiguration of the client to allow Hybrid and “KatanaClient”), and MVC OWIN Client (Hybrid), I get many exceptions.
I believe that I have the client configured correctly (maybe not??) but response.AccessToken and response.RefreshToken are both null (the tokenClient.RequestAuthorizationCodeAsync(n.Code, n.RedirectUri); call fails). However, since I don’t really need those values to test the redirect, I have commented them out. The server still doesn’t honor the PostLogoutRedirectUri setting in the OpenIdConnectAuthenticationOptions.
I was thinking that perhaps the ASP NET Identity example in GitHub is using outdated code, prior to the implementation of support for the logout url?
Please use the github issue tracker for specific question on idsrv3.
How to do it without using app.UseOpenIdConnectAuthentication. OpenId is not available to use on Mono.
I don’t know. I don’t use Mono. You can always handcraft the oidc messages – it is not hard.
Something that’s not so nice about having to preserve the id_token, is that the cookie become much larger
I agree. Security is hard ;)
Maybe preserver it somewhere else – e.g. in a cache.
Yeah that’s been our thought, we’ll persist in redis if it gets more out of control :)