Implementing single sign on/out

[rdosanjh]

Hi, I am working on a AngularJS web app and I am trying to implement single sign on. I had a nice implementation using Identity server and authorization server with implicit flow and oAuth tokens, however I need a mechanism to sign the user out of all apps they are signed into.

I am currently redirecting the user to authorization server, this then redirects the user to identity server. The user logs on and it shown a consent screen, a Json web token is then sent to the app via the query string and is put into local storage. This token is attached to the Authorization header which the web api (that is on a different domain) receives and either allows or denies the request.

The problem is oAuth has no way of singing a user out of all apps. I have now looked at WS-Federation using Json web tokens but this approach still appears to use cookies which I would like to avoid as the api and client app are on different domains.

Does Thinktecture Identity Server have any way to do this and if so are there any examples I could take a look at.

Thanks

[brockallen]

Like you said, OAuth doesn't define signout. IdentityServer v3 implements OpenID Connect which will have a signout mechanism. Perhaps if you're just getting started with your app, IdentityServer v3 si a better choice to use.

[rdosanjh]

Ok I see identity server 2.5 has an option for OpenID connect would that provide the capability to sign out.

[leastprivilege]

v2.5 has no implementation of the OIDC session management spec - it is still in draft. In v3 we have a signout endoint.