Trigger OpenId Connect Sign-out

An application (relying party) that want to initiate a single-sign-out will do that through the library used for OIDC. If the library doesn’t support sign-out this is possible to trigger from the application anyway by making a re-direct (HTTP GET) to a URL that will be something like this:

GET https://instance.irmciam.se/connect/endsession?
post_logout_redirect_uri={URL TO RETURN USER TO AFTER SIGN OUT}&id_token_hint={ID_TOKEN]&
state={OPTIONAL STATE RETURNED TO CLIENT}

Parameter	Requirement	Description
`post_logout_redirect_uri`	Recommended	The URL where the user will be re-directed after a completing the sign-out. If parameter isn’t supplied a generic signed out message is displayed. The URL must be registered in application configuration for the application in Authway. If an exact match isn’t found the parameter will be ignored and the user will not be redirected back to the application in any way.
`id_token_hint`	Recommended	Indication of the user that should be signed out. This is required for post_logout_redirect_uri to be considered. If it isn’t supplied the user might be prompted to sign-out (for security reasons).
`state`	Optional	State information that is returned to the client when the user is re-directed after the sign-out. For example you can store information about current user session or a re-direct URL that the user should be returned to within the application after being returned to the `post_logout_redirect_uri`.

Full specification: OpenID Connect RP-Initiated Logout 1.0

C# example

In this example the application saves information about re-directing the user to Index action after a complete sign-out. We recommend that the local re-direct URL allows anonymous access, or otherwise a new sign-in will be triggered as a result of the sign-out and that will be a strange user experience.

public async Task SignOut()
{
    await HttpContext.SignOutAsync();

    string returnUrl = Url.Action(nameof(Index));
    await HttpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme,
                new AuthenticationProperties { RedirectUri = returnUrl });
}