Redirected to Facebook after logout (Owin, wsfederation)

andreas.westling · December 12, 2017, 8:18pm

I’m using Owin middleware to configure ws-federated authentication for my MVC application. I’ve enabled Facebook as a social connection.
Everything works when logging in using Facebook, but when loggin out I’m always redirected to Facebook after logout completes instead of back to my application.

I’ve added my application url to the allowed logout urls in the Auth0 settings, as well as in the facebook app.

When logging the user out I use the following code:

HttpContext.GetOwinContext().Authentication.SignOut(new AuthenticationProperties
{
 RedirectUri = "http://mysite.dev/"
}, WsFederationAuthenticationDefaults.AuthenticationType);

In the Auth0 log there’s the following entry:

{
  "date": "2017-12-12T10:58:32.527Z",
  "type": "slo",
  "description": "Redirected to IdP",
  "connection": "facebook",
  "connection_id": "con_vdvCpY81iFKe2K9Y",
  "client_id": "XXXXX",
  "client_name": "MyClient",
  "ip": "127.10.100.100",
  "user_agent": "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36",
  "details": {
    "return_to": "http://mysite.dev/",
    "allowed_logout_url": 
      "http://mysite.dev/",
      "http:/mysite.dev"
    ]
  },
  "user_id": "facebook|12345678910",
  "user_name": "me@gmail.com",
  "log_id": "49570627966157796616778729595816630758012413822423057458"
}

As you can see the return_to url and allowed logout url are both set.
What else do I need to do to get redirected back to my app after logout?

jmangelo · December 28, 2017, 6:26pm

When it comes to logout request that are mean to reach downstream identity providers like Facebook the actual requirements may vary by provider. For example, in the case of Facebook the logout request must be accompanied by the end-user access token; this is detailed in this section of the reference documentation.

From the information provided it is not clear if you’re meeting that requirement or not so that could be one possible explanation. In addition, even if the access token is correctly passed Facebook might not honor the logout request or the final redirect to your client application is not performed if the Facebook application you registered is not configured properly.

For example, you may have issues if you don’t add a platform for the application (web site) and don’t list your client application domain in the settings; check the top-voted answer on this SO question on the same topic.