I have a dotnet 7.0 application (web app) and I want to be able to sign users in and out via SSO from Azure AD and Google. Signing in is working for both. But signing out is only working for AzureAD and not for Google.
For AzureAd, the signout means that you will need to enter your credentials again, if you want to sign in to my application again. But the signout will not sign you out entirely from AzureAD, meaning that other applications a user was using will continue to work. I do this by signing out of the AzureAD scheme, and by signing out of the Cookies scheme.
For Google, I want to achieve the same. So I try to sign out of the Google scheme and sign out of the Cookies scheme. But signing out of the Google scheme throws an exception! Currenly all I can do is just remove that line, and only just signs out of the Cookies scheme. But if I do that, the user does not need to enter his credentials again the next time he wants to sign in to my application.
The exception that is throwm is: InvalidOperationException: The authentication handler registered for scheme 'Google' is 'GoogleHandler' which cannot be used for SignOutAsync. The registered sign-out schemes are: Cookies, OpenIdConnect.
And the code looks like this:
app.MapGet("/logoutAzureAD",
[Authorize(AuthenticationSchemes = OpenIdConnectDefaults.AuthenticationScheme)]
async (HttpContext httpContext) =>
{
await httpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme); // ok!
await httpContext.SignOutAsync(
CookieAuthenticationDefaults.AuthenticationScheme,
new AuthenticationProperties { RedirectUri = "/" });
})
.WithName("logoutAzureAD");
app.MapGet("/logoutGoogle",
[Authorize(AuthenticationSchemes = GoogleDefaults.AuthenticationScheme)]
async (HttpContext httpContext) =>
{
await httpContext.SignOutAsync(GoogleDefaults.AuthenticationScheme); // throws!
await httpContext.SignOutAsync(
CookieAuthenticationDefaults.AuthenticationScheme,
new AuthenticationProperties { RedirectUri = "/" });
})
.WithName("logoutGoogle");
So how do I sign out from Google for my application, in such a way that the user needs to enter his credentials again when signing in again later, but not sign out the user from Google entirely (so he can keep using other applications such as Gmail) ?
Edit
I have changed to using Google.Apis.Auth.AspNetCore3 instead of Microsoft.AspNetCore.Authentication.Google, as per the comment of @PanagiotisKanavos.
This package seems to have a handler that can be used for SignOutAsync. But now I get a different error: Cannot redirect to the end session endpoint, the configuration may be missing or invalid.