Option to sign out from external identity provider on user log out

[dmit4git]

Is your feature request related to a problem?

Consider following Orchard config:

• Orchard is setup as OpenID client (Configureation -> Feature -> OpenID Connect Client Integration)
• Login settings (Security -> Settings -> User Login) have
  • Disable local password login: on
  • Use external provider for login: on

Now user can't log out of Orchard because when they do - Orchard goes to login page which automatically logs the user back in because IdP session is not terminated.

In scenario when "Use external provider for login" is off there is also room for issues on user's side. User may be not aware that there is a difference between IdP log-in and Orchard log-in, they may expect that logging out of Orchard would prevent someone else from logging back in on their browser. Since user is still signed into IdP, all it takes is to click Login With External Provider.

Describe the solution you'd like

It would be safer and more convenient to have an option for automatically signing user out of IdP on logout.

Add a new checkbox setting to OpenID client settings (Security -> OpenID Connect -> Authentication Client). When the setting is on, user would automatically get signed out of IdP on logging off from Orchard.

Describe alternatives you've considered

It would be nice to have an event that gets triggered when user logs out, it could be utilized to sign the user out from IdP by code. There is LoggedInAsync event, but it looks like there is no log out event.

[github-actions]

Thank you for submitting your first issue, awesome! 🚀 We're thrilled to receive your input. If you haven't completed the template yet, please take a moment to do so. This ensures that we fully understand your feature request or bug report. On what happens next, see the docs.

If you like Orchard Core, please star our repo and join our community channels.

[Piedone]

We could certainly add a logout event (or a before-after one), executed around here:

OrchardCore/src/OrchardCore.Modules/OrchardCore.Users/Controllers/AccountController.cs

Line 197 in e5f8ff3

await _signInManager.SignOutAsync();

However, while I understand the problem I'm not sure about logging out the user from the external IDP, that might be unexpected (or destructive even, like if they're in the middle of writing an e-mail in Outlook or setting something up in Azure and they get logged out from their Microsoft work account).

[dmit4git]

Agreed. Automatically signing users out of the external IdP has tradeoffs - neither approach is ideal, and the right choice depends on your use case. That said, making it optional wouldn't hurt.
It doesn't look like there is a standard on this matter. In practice, some apps sign you out of the IdP (like Grafana, Portainer, and pgAdmin), while others don't (like Graylog).

[MikeAlhayek]

I started a PR a long time ago in regard to this and lost interest. Feel free to pick it up #16706 If the server support logout, we should also support it. Note that not all servers support logout

[github-actions]

We triaged this issue and set the milestone according to the priority we think is appropriate (see the docs on how we triage and prioritize issues).

This indicates when the core team may start working on it. However, if you'd like to contribute, we'd warmly welcome you to do that anytime. See our guide on contributions here.