Backchannel logout with ASP.NET


We are using several applications running ASP.NET (both framework and .NET6). All of these are using Auth0 as IDP. When logging out one of these applications, we want the session of this user on any other applications hes logged into to also be ended. In Auth0, this can only be achieved by using backchannel logout.

Problem Im facing now is that ASP.NET doesnt seem to offer a way to access the session management from an unauthenticated call (in this case the Backchannel call). In this case the backchannel call goes off, I receive the token and can parse the sid from it. So far so good. But at that point I can’t access the session management.

The solutions Ive found so far are the following:

  • Use a short timeout. This does help, but if users switch applications fast enough it still runs into the same problem. And also increases the amount of authentication calls to Auth0.
  • Create a mechanism to keep track of logged-out sessions, and check if its still active on each user call. This also incurs a performance penalty as I need to process this check on every call, which involves Redis in my case, because im using multiple instances of my app.

Has anyone had any luck implementing a different method to do this? Preferably something builtin to the framework to handle this in an efficient manner?

We implemented our own mechanism using frontchannel logout, which is flexible enough to suit our needs. Backchannel is more reliable, so if possible use that. But that wasnt an option in our scenario.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.