/bff/logout endpoint passing State to idp/connect/endsession.

[prijgec]

/bff/logout endpoint passing State to idp/connect/endsession.

How to restrict client app not to send state as parameter but only postlogouturi and id token. Thanks

[brockallen]

Why do you want to suppress that protocol parameter? It's needed on the post logout redirect URI endpoint.

[prijgec]

I thought , State is optional parameter. My Id token is big in size and addition of the state is making the url bigger than url size limit. I tried removing state from endsession call manually and log out worked. Thanks

[brockallen]

Then it sounds like you might want to look into techniques for making the id_token smaller, like using code flow and getting an access token for the userinfo endpoint from the OIDC protocol. Are you doing this already?

https://openid.net/specs/openid-connect-core-1_0.html#UserInfo

[prijgec]

Yes. I have the maximum optimization for Id token, but I do not want to pass the state param with endsession call. But I am not finding any way to make state as optional from client. The idp logout end point called from bff is automatically adding the state param and I am not able to edit that through extending DefaultLogoutService , ProcessRequestAsync method,

[brockallen]

This is something you'd need to do in the Microsoft OIDC handler when it does the SignOut/OIDC end session workflow. I've not tried myself, but one idea would be to handle some of the OIDC events prior to the redirect.

[prijgec]

Thanks