asp.net core - How to logout all clients from Identity Server?

Question

Identity Server and two clients (SSO): .Net Core MVC and Nodejs.

When I log in with Nodejs client, after refresh MVC (second client) I got logged MVC client. It's good. But when I logout from Nodejs it send back-channel logout url to MVC client. Nodejs doesn't have problems with logout. But MVC client - after browser refresh it stay logged. I read this and this posts but they didn't help.

When in MVC Startup i wrote this code:

options.Events = new OpenIdConnectEvents
{
OnTicketReceived = (e) =>
 {
  e.Properties.IsPersistent = true;
  e.Properties.ExpiresUtc = DateTimeOffset.UtcNow.AddMinutes(2);

  return Task.CompletedTask;
}
};

After two minutes I refresh browser and MVC redirect to Idrsv login page. Its good, but not safe (need to wait 2 minutes).

I read about userId claim cache but I doubt - if it will be a lot of active sessions, then cache will be very big and app will work slowly.

I can do with front-channel logout, but I read about cons, and now I doubt.

What do you prefer for logout all clients from Identity Server?

Answer 1

In the samples the logout is performed using iframes on the logged out page. If this page is skipped or aborted, clients may not be informed. But I don't think that's the case.

I'd rather prefer a safer backend logout that doesn't rely on iframes. Take a look at my answer here for an example.

Now about the client. Non-javascript clients do need a roundtrip to update the cookie. So the flow is: user logs out from client A. IdentityServer informs other clients (backchannel) and removes server cookie.

And now the (non-javascript) client has to take action. It also needs to remove the cookie, but that is only possible after the user performs an action.

And that's where the caching comes in. The cache only contains the alert from the server. On the first opportunity it removes the cookie and also removes the user from the cache. So the cache will in fact stay quite small. Do add some cleanup code to remove logged out users (that never returned) with cookies that are expired.