Situation:
I have my own OpenId based server and several clients. When I log out, I use the backchannel logout to log me out in all clients. The OpenId Specification tells me, that I need to verify the sent logout_token and reject with BadRequest 400 if it cannot be verified.
My implementation in the client (abbreviated to the relevant parts), done in Startup.cs:
public void ConfigureServies(IServiceCollection services)
{
//... stuff set up
services.AddAuthentication()
.AddCookie(//some options)
.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
//... stuff set up
options.Events.OnRemoteSignOut = context =>
{
var parameters = context.ProtocolMessage.Parameters;
if (parameters.TryGetValue("logout_token", out string token))
{
if(...) //check if token is valid according to spec
{
//do stuff for logout
}
else
return Task.FromResult(new BadRequestResult()); //<--- Here is the core of my question.
}
return Task.CompletedTask;
}
}
}
My actual Question:
In the marked line: What is the correct syntax to properly give back the Error 400 as required from the Spec? It is possible that I have an important gap in knowledge about Tasks, but I'm not sure what I actually should do here or which keywords to search for.
When I try to test this out with Postman, I get an error 404 back (despite running through the code to that BadRequestResult), instead of the expected 400.
OnRemoteSignOut is defined with a return type of Func<RemoteSignOutContext, Task>.