Signout IFrame URLs (endsession/callback) are provided even if there are no clients to signout from

[aomader]

Which version of Duende IdentityServer are you using?
7.0.8

Which version of .NET are you using?
.NET8

Describe the bug

The signout iframe URL (targeting the endsession callback) is generated even if the clients the user is signed into don't have a FrontChannelLogoutUri and calling that endsession callback is useless in this case.

Maybe I am missing here some details, but if so, please enlighten me.

To Reproduce

Get the logout context for a user that signed into a client that has no FrontChannelLogoutUri. The URL towards the endsession callback (the iframe URL) is still generated, although it is a noop.

Expected behavior

No iframe URL (i.e., null), since there is nothing to do.

Otherwise, there is a need to show an intermediate page for some time to load the iframe URL in the browser.

Additional Context

Asking as an Enterprise License user.

[RolandGuijt]

The way this works is that IdentityServer creates a URL which the browser then uses to get an iFrame that will access the URL you're seeing in the logout context for each client.
When the client doesn't have a session or no FrontChannelLogoutUri configured that UrL returns an empty result. If that isn't the case it will return an iFrame pointing to a URL that ends the session.
So eventually we end up with a parent iFrame that contains child iFrames for each client that has a session and a FrontChannelLogoutUri.

So it's correct that you see the URL being generated, it will just not return anything if there's no FrontChannelLogoutUri.

[aomader]

I am not sure I can fully follow, at least not the justification, or I am not seeing where this addresses the question.

So assuming there are no FrontChannelLogoutUris configured for any client and I get a logout context for a user signed into some of them. At that point, IdentityServer will happily provide me with a signout iframe URL that I need to provide to the user agent.

The issue is now that in this exact case, that signout iframe URL will resolve to a basically empty document, since there are no FrontChannelLogoutUris. Additionally, as I see it, that endpoint isn't doing anything else except for generating that list of sub-iframes, which again, would in this case be empty. Hence, the requirement to include this signout iframe at all seems pointless, so why should the IdentityServer generate it in the first place? It just forces the user flow to show a redirection page without there being an actual need for it.

[AndersAbel]

We are looking into ways to indicate that the logout iframe isn't needed. Changing it to return null if it is empty would be a simple approach, but unfortunately it would break all existing UI deployments...

[RolandGuijt]

I have put this on our internal ideas list so it can be taken in consideration. It seems that our sample UI can handle it but we have to consider custom work around the loggedout page.

[AndersAbel]

Reviewing this once more, I was actually wrong about the null. There are cases where the SignOutIFrameUrl is indeed null and the UI should handle that already. This would allow us to change the behaviour if more people ask for it.

For now, a workaround would be to add a check in the LoggedOut action/page.

var hasFrontChannelLogout = false;
if(logout.ClientIds != null)
{
    foreach(var c in logout.ClientIds)
    {
        var client = await _clientStore.FindClientByIdAsync(c);
        if(client != null && client.FrontChannelLogoutUri != null)
        {
            hasFrontChannelLogout = true;
            break;
        }
    }
}

[maartenba]

(note: we're moving this issue to our new community discussions)

[RolandGuijt]

I'm moving this to the feature request category. If you read this and think that it's a useful feature for your org, please upvote.