BFF: What causes Identity Server to Trigger Back Channel Logout?

[dana-n]

I am running Identity Server and another .NET app with BFF and I am trying to get Identity Server to issue a back-channel logout request. Based on the documentation, it is supposed to happen automagically. On Identity Server, the client is configured like this:

new Client
{
	ClientId = "bff",
	ClientName = "BFF Example",
	BackChannelLogoutUri = "https://localhost:5082/bff/backchannel",
	// many additional setings!
};

The AccountController has an instance of SignInManager<TUser> and we are signing users out by calling SignOutAsync(). The expectation is that this should in turn be sending a back-channel logout request to the BFF, but I do not believe this is happening. I have added various breakpoints and done some pair programming to double check my configuration. But I do not believe the backchannel logout request is being sent at all.

Is there something else that needs to happen in order for back-channel logout requests to get issued to the /bff/backchannel endpoint? Or is what I have described supposed to be enough?

[Erwinvandervalk]

Hi @dana-n

I believe you also need to set the BackChannelLogoutSessionRequired

client.BackChannelLogoutSessionRequired = true;

Here are the integration tests that run both IS and BFF together:
https://github.com/DuendeSoftware/products/blob/releases/bff/4.0.0/bff/test/Bff.Tests/Endpoints/Management/BackchannelLogoutEndpointTests.cs#L26

[dana-n]

Thanks for the responses!

I don't think we have server-side sessions on the BFF, I can try to enable them and see what happens.

I am pretty sure we have server side sessions enabled on Identity Server. Does this even matter?

[wcabus]

Server-side sessions in IdentityServer is indeed a completely separate thing: it is used to reduce the authentication cookie's size, monitoring session activity and being able to cleanup/expire sessions centrally.

Server-side sessions in BFF are used to also reduce the authentication cookie's size, but is also required for the back-channel logout functionality to work correctly.

[dana-n]

I tried a couple of things (starting first by enabling server-side sessions) and eventually figured out one way to reliably get IdentityServer to do back-channel logout to the BFF. The problem that I am seeing seems related to external IdP and specifically use of the end_session_endpoint. Within our AccountController we have some boilerplate code from one of Duende's examples as follows (comments added by me):

[ValidateAntiForgeryToken]
public async Task<IActionResult> Logout(LogoutInputModel input)
{
    var vm = await BuildLoggedOutViewModelAsync(input.LogoutId, input.RequestId);

    // This method calls SignInManager<TUser>.SignOutAsync() to log the user out of IdentityServer
    await LogoutLocallyIfAuthenticated();

    // The value here is different depending on how the user signed in, but can sometimes be true!
    if (vm.TriggerExternalSignout)
    {
        string url = Url.Action("Logout", new { logoutId = vm.LogoutId });

        // Here the user is redirected to the end_session_endpoint of an external IdP, BFF backchannel logout does not happen here
        return SignOut(new AuthenticationProperties { RedirectUri = url }, vm.ExternalAuthenticationScheme);
    }

    // When the user is not signing out of an external IdP, the BFF backchannel logout does occur!
    return View("LoggedOut", vm);
}

I am wondering if I need to manually do the BFF backchannel logout when logging the user out of an external IdP? That SignOut method is defined in Microsoft.AspNetCore.Mvc.ControllerBase.

I am going to keep digging, but figured I would post what I have come up with thus far.

[wcabus]

The back-channel logout should be triggered regardless of whether you signed in using an external identity provider. When you call _signInManager.SignOutAsync(); inside that LogoutLocallyIfAuthenticated method, IdentityServer hooks in and will perform the back-channel logout inside the IdentityServerMiddleware.

If you (temporarily) enable debug-level logging for the namespace Duende.IdentityServer.Services, you should see a line like:

Due to user logout, invoking backchannel logout for subject id {subjectId} and session id {sessionId}

[dana-n]

This item was moved to the backburner, but I eventually got back to working on it. We have a custom IClientStore that retrieves and filters clients based on the properties of the current request. The client that is configured to do backchannel logout was getting filtered in some circumstances and we need to figure that part out. But pointing me to the IdentityServerMiddleware for debugging, and enabling logging was what allowed me to discover this.

[AndersAbel]

I am wondering if I need to manually do the BFF backchannel logout when logging the user out of an external IdP?

There was indeed a bug found in IdentityServer for the combination of back-channel logout and an incoming front-channel logout from an upstream provider. Please see DuendeSoftware/products#2258