Logout gives Error processing end session request when user already changed

[aaronclawrence]

We have two applications with different client IDs sharing the same backend - ASP.NET MVC using session cookies, as in the original IS sample. It achieves Single Sign On.

If we do this:

• Both applications are signed in as user X.
• Sign out of application 1
• Sign back in to application 1 as user Y.
• Sign out of application 2.

We get from Identity Server:
Error processing end session request {error}
error = Invalid request

and although the logout works, the user is left on the backend page instead of redirecting back to application 2. So now things are a bit broken.

Is this expected?
Is there any more information available other than the (rather unhelpful) "Invalid request" ?
It seems like unhelpful behavior. Logging out of the second application should still work.

[wcabus]

Duende IdentityServer most likely logged additional log entries whenever it shows an "Invalid request" error to a user, but these may be hidden because of their log level: the EndSessionRequestValidator uses the Information log level when writing additional information for invalid requests.

If you want to only lower the log level for these types of events, you can add a log filter for the namespace "Duende.IdentityServer.Validation" and set that to "Information"

To troubleshoot the problem further, I want to clarify what you're doing a bit further. Is this scenario accurate?

1. You sign in into application 1 as user X.
2. You sign in into application 2 as user X as well, using single sign on.
3. You sign out of application 1 as user X. Question: is there single sign off implemented using back- or front-channel logout to application 1/2?
4. You sign in into application 1 as user Y. Are you doing this from the same device/browser?
5. You sign out of application 2 as user X, assuming that there was no back- or front-channel logout performed when signing out from application 1 as user X.