One frequently requested feature was the ability to redirect back to the client after logging out of IdentityServer. The session management spec describes this in the “RP-initiated logout” section.
While this is a nice convenience feature and seems trivial to implement, there are some security concerns around the validation of the URL to redirect to after logout is done. This feature could be abused for phishing.
The client first has to prove that it is a legitimate client by sending the original identity token that it received back to the logout endpoint. Furthermore you can now register a list of valid redirect URIs for each client. The request looks like this:
How do you preserve the id_token? You need to store it somehow – e.g. using in the authentication cookie during SecurityTokenValidated notification when using the Katana OIDC middleware. You can then use the RedirectToIdentityProvider notification to attach it back on logout:
RedirectToIdentityProvider = async n =>
// if signing out, add the id_token_hint
if (n.ProtocolMessage.RequestType ==
var idTokenHint =
n.ProtocolMessage.IdTokenHint = idTokenHint;
There are various ways how you can specify the post logout redirect URI – through the above event handler, statically on the OpenIdConnectAuthenticationOptions, or via the RedirectUri property on the AuthenticationProperties when calling IAuthenticationManager.SignOut.
See this sample here. HTH.