Question: Purpose of EndSessionCallback?

[appetere]

After logging-out of IdentityServer3 from a browser, the loggedOut.html page renders a hidden iframe which calls /auth/core/connect/endsessioncallback by default.

Can you explain what this callback is for please?

I can't find any reference to similar functionality in the OpenID Connect Session Management spec or in web-searches.

[brockallen]

Search the issue tracker history -- this has already been asked.

[appetere]

Can you tell me which issue has the answer please?

I have tried to find it! But directly searching the issues for the following:

• endsessioncallback => 3 issues
• end session callback => 10 issues
• logout => 92 issues

the only hint at an answer I've found is:

#699 "I don't think we'll allow auto redirects -- the reason is that it's possible that there are iframes being loaded on the page to trigger logouts to other places. If you auto redirect then those iframes might not load the pages they need to load and you won't get proper single signout."

[brockallen]

#1499

[appetere]

Thanks for the link, but it doesn't answer my question.

The loggedOut partial view renders iFrames:

<div class="page-header">
    <h1>
        Logout
        <small>You are now logged out</small>
    </h1>
    <div ng-show="model.redirectUrl">
        Click <a ng-href="{{model.redirectUrl}}">here</a> to return to the
        <span ng-bind="model.clientName"></span> application.
    </div>
    <iframe class="signout" ng-repeat="url in model.iFrameUrls" ng-src="{{url}}"></iframe>
</div>

with one iFrame for each item set in IdentityServerOptions.ProtocolLogoutUrls.

By default this is set to a single item:

options.ProtocolLogoutUrls.Add(Constants.RoutePaths.Oidc.EndSessionCallback);

This default just calls an endpoint which itself doesn't do anything:

        [Route(Constants.RoutePaths.Oidc.EndSessionCallback, Name = Constants.RouteNames.Oidc.EndSessionCallback)]
        [HttpGet]
        public IHttpActionResult LogoutCallback()
        {
            Logger.Info("End session callback requested");

            return ResponseMessage(new HttpResponseMessage(HttpStatusCode.OK)
            {
                Content = new StringContent(String.Empty, Encoding.UTF8, "text/html")
            });
        }

So what I am trying to understand is what are these iFrames meant to be used for? In the default case it just seems like an extra, unnecessary web-call.

[brockallen]

As I said in the other issue -- one endpoint is for the OIDC protocol for signout. It is implemented in terms of the IdSvr logout page which then needs to trigger signout of all the protocols we support, which is an iframe to our protocol cleanup endpoints.

Perhaps you're missing the fact that a user can trigger logout in diff ways.

[appetere]

I am missing something!

So .. after reaching the EndSession endpoint, the browser is redirected to a page that says, "You are now logged out". This page has an iFrame on it that (with the default IdentityServer3 configuration) calls the EndSessionCallback. This callback (see code extract in previous comment) just returns an empty string.

I don't understanding the reason for calling this EndSessionCallback, if it just returns an empty string.

[brockallen]

It's a placeholder for future work on this spec: http://openid.net/specs/openid-connect-logout-1_0.html