RolandGuijt
commented
1 month ago Assuming the client is an application running on a server, please keep in mind that with 1 client the number of sessions will be 2. That means after authentication there will be 2 session cookies in the browser. One for the client and one for the identity provider.
If logging out just means deleting the client cookie it means that the identity provider cookie is still there. When the next authentication attempt occurs the authorize endpoint is hit and it will return the token(s) straight away (without showing a login page) because there already is a valid session. To solve the problem the identity provider session has to be ended as well when logout occurs. The client can't do that because it doesn't have access to the cookie. Instead it has to redirect to the identity provider. That's why the identity provider has an end session endpoint.
For further info and and an example please watch this video, especially the part starting at 9:45.
Hi,
I have a problem when I use many account in the same instance of browser.
In the first connection from my site to the client site, the authorize endpoint is invoking, and I have in the log : No user present in authorize request. So, I have been redirect to the login page. It's normal for the first time. I enter the login/password, and the session is created, and i have been redirect to the client site, to the correct account
When I decide to logout from the account and use another account in my site, when connecting to the client site, the authorize endpoint is invoking, but now i have in the log : User in authorize request: {subjectId}, the same subject id of the user before. So i have been redirect to the client site, but to the wrong account(account of the previous user).
I am using Identity server.