This post looks at implementing a cookie reset in an ASP.NET Core application using Duende identity server which federates to Entra ID. Sometimes cookies need to be reset for end users due to size problems, or unknown remote authentication server errors. The cookies can be cleared and a new sign in can be forced.
Code: https://github.com/damienbod/DuendeProfileServiceAspNetCoreIdentity
Setup
The ASP.NET Core web application is setup to authenticate using an identity server implemented using ASP.NET Core Identity and Duende IdentityServer. The identity provider federates to Entra ID using OpenID Connect. In our use case, Microsoft accounts are invited into the Entra ID tenant as guest and the login.live.com is used to authenticate the Microsoft Account users. We would like to provide a cookie reset for the two ASP.NET Core applications and force a sign-in flow. The user might still be authenticated in Entra ID or Live and the user will automatically be authenticated again. This just provides a cookie clean up on your application. If you want to sign-out, then the standard SignOut method can be used with the correct required schemes.
Reset
An ASP.NET core Razor Page is used to send an cookie reset POST request.
<form method="post">
<input type="submit" class="btn btn-warning" name="Reset">
</form>
The POST request deletes all cookies for the identity provider application and redirects to the OpenID Connect client using a HTTP redirect.
public IActionResult OnPost()
{
// clear cache if needed
foreach (var cookie in Request.Cookies.Keys)
{
Response.Cookies.Delete(cookie);
}
// bubble up to a UI application if required
return Redirect("https://localhost:5015/resetcache");
}
The HTTP GET redirect deletes all the cookies on the OpenID Connect client application and redirects to the default page which requires an authenticated user. The default challenge kicks in and starts an authentication flow. If the user is authenticated on Entra ID, the identity is silently authenticated again.
[AllowAnonymous]
public class Index : PageModel
{
public IActionResult OnGet()
{
// clear the cookie cache
foreach (var cookie in Request.Cookies.Keys)
{
Response.Cookies.Delete(cookie);
}
// Force a sign-in
return Redirect("/");
}
}
Handle remote errors
The cookie reset can be used to handle unknown OpenID Connect remote authentication errors which sometimes fail for unknown reasons and the user cannot recover without resetting the local cookies.
OnRemoteFailure = async context =>
{
var logger = context.HttpContext
.RequestServices.GetRequiredService<ILogger<Program>>();
logger.LogInformation(
"OnRemoteFailure from identity provider. Scheme: {Scheme: }",
context.Scheme.Name);
if (context.Failure != null)
{
//server_error
context.HandleResponse();
context.Response.Redirect(
$"/Home/Reset?remoteError={context.Failure.Message}");
}
await Task.CompletedTask;
}
Notes
Normally this should not be required. The default sign out logic should be used if a logout is required. This logic is only for a local reset and does not logout the user. Changing state on a HTTP GET is also not recommended but this required for this to work.
Why not just signout?
Using the SignOut method is the correct way to sign out of an ASP.NET core application. Using the different schemes, each one can be signed out. Removing cookies from the browser does not sign out the user. This just cleans up the local cookies and whatever is saved behind them.
What about cache?
If the session is stored in a server session or a server cache, then you would need to clean this up and not just the cookies.
What happens on the external identity provider?
We have no control over this directly and cannot control the sessions here. To remove the session, you would need to send an endsession request to the OpenID Connect server.
Links
https://docs.duendesoftware.com/identityserver/reference/services/profile-service
https://duendesoftware.com/products/identityserver
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/claims
https://github.com/damienbod/MulitipleClientClaimsMapping
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/
Software Engineering 
Hello,Thank you very much for the blog post and its advices. In addition, specify the header “Clear-Site-Data” on the endpoint that clear the cookies can help removing any local content created during the “session”.
Thanks for the tip, greetings Damien
[…] Reset Cookies and force new sign-in using ASP.NET Core Identity (Damien Bowden) […]