BFF: What causes Identity Server to Trigger Back Channel Logout?

[dana-n]

I am running Identity Server and another .NET app with BFF and I am trying to get Identity Server to issue a back-channel logout request. Based on the documentation, it is supposed to happen automagically. On Identity Server, the client is configured like this:

new Client
{
	ClientId = "bff",
	ClientName = "BFF Example",
	BackChannelLogoutUri = "https://localhost:5082/bff/backchannel",
	// many additional setings!
};

The AccountController has an instance of SignInManager<TUser> and we are signing users out by calling SignOutAsync(). The expectation is that this should in turn be sending a back-channel logout request to the BFF, but I do not believe this is happening. I have added various breakpoints and done some pair programming to double check my configuration. But I do not believe the backchannel logout request is being sent at all.

Is there something else that needs to happen in order for back-channel logout requests to get issued to the /bff/backchannel endpoint? Or is what I have described supposed to be enough?

[Erwinvandervalk]

Hi @dana-n

I believe you also need to set the BackChannelLogoutSessionRequired

client.BackChannelLogoutSessionRequired = true;

Here are the integration tests that run both IS and BFF together:
https://github.com/DuendeSoftware/products/blob/releases/bff/4.0.0/bff/test/Bff.Tests/Endpoints/Management/BackchannelLogoutEndpointTests.cs#L26

[wcabus]

I've just tried a scenario locally with BackChannelLogoutSessionRequired set to false and was still able to sign out via a backchannel-triggered logout.

Does your BFF have server-side sessions enabled? This is needed for the backchannel logout functionality to work in BFF. Note that this is not the same as server-side sessions in IdentityServer.

[dana-n]

Thanks for the responses!

I don't think we have server-side sessions on the BFF, I can try to enable them and see what happens.

I am pretty sure we have server side sessions enabled on Identity Server. Does this even matter?

[wcabus]

Server-side sessions in IdentityServer is indeed a completely separate thing: it is used to reduce the authentication cookie's size, monitoring session activity and being able to cleanup/expire sessions centrally.

Server-side sessions in BFF are used to also reduce the authentication cookie's size, but is also required for the back-channel logout functionality to work correctly.

[dana-n]

I tried a couple of things (starting first by enabling server-side sessions) and eventually figured out one way to reliably get IdentityServer to do back-channel logout to the BFF. The problem that I am seeing seems related to external IdP and specifically use of the end_session_endpoint. Within our AccountController we have some boilerplate code from one of Duende's examples as follows (comments added by me):

[ValidateAntiForgeryToken]
public async Task<IActionResult> Logout(LogoutInputModel input)
{
    var vm = await BuildLoggedOutViewModelAsync(input.LogoutId, input.RequestId);

    // This method calls SignInManager<TUser>.SignOutAsync() to log the user out of IdentityServer
    await LogoutLocallyIfAuthenticated();

    // The value here is different depending on how the user signed in, but can sometimes be true!
    if (vm.TriggerExternalSignout)
    {
        string url = Url.Action("Logout", new { logoutId = vm.LogoutId });

        // Here the user is redirected to the end_session_endpoint of an external IdP, BFF backchannel logout does not happen here
        return SignOut(new AuthenticationProperties { RedirectUri = url }, vm.ExternalAuthenticationScheme);
    }

    // When the user is not signing out of an external IdP, the BFF backchannel logout does occur!
    return View("LoggedOut", vm);
}

I am wondering if I need to manually do the BFF backchannel logout when logging the user out of an external IdP? That SignOut method is defined in Microsoft.AspNetCore.Mvc.ControllerBase.

I am going to keep digging, but figured I would post what I have come up with thus far.

[wcabus]

The back-channel logout should be triggered regardless of whether you signed in using an external identity provider. When you call _signInManager.SignOutAsync(); inside that LogoutLocallyIfAuthenticated method, IdentityServer hooks in and will perform the back-channel logout inside the IdentityServerMiddleware.

If you (temporarily) enable debug-level logging for the namespace Duende.IdentityServer.Services, you should see a line like:

Due to user logout, invoking backchannel logout for subject id {subjectId} and session id {sessionId}