What Identity LogOff behavior should templates (and samples) adopt?
guardrex opened this issue Β· comments
TL;DR dotnet/AspNetCore.Docs#2867 (big time π ... I'll summarize the issue here)
The Introduction to Identity doc sample might have been derived from the Identity sample and that sample's AccountController
, which uses this LogOff
action ...
[HttpPost]
[ValidateAntiForgeryToken]
public async Task<IActionResult> LogOff()
{
await _signInManager.SignOutAsync();
_logger.LogInformation(4, "User logged out.");
return RedirectToAction(nameof(HomeController.Index), "Home");
}
The doc sample shows how to set the LogoutPath
...
options.Cookies.ApplicationCookie.LogoutPath = "/Account/LogOff";
However, no returnUrl
request parameter (setting the Location
header) is going to be honored with the RedirectToAction
present on the controller action, which will win battle on where the browser should go after a logoff ... it will go Home
.
In the TL;DR issue, @HaoK said:
I believe the original idea is that its trying to keep you on the same page you were at, so if you were in About, and click Logoff, that will generate a returnUrl to /About, and will redirect you back there.
But yeah the templates today no longer seem to support that scenario, I just tried it and it just sends you back to Home... so its either a bug (or the new behavior). You could file a bug in the templates repro asking what the desired behavior is as well...
The options are probably to either ...
- Don't set
LogoutPath
if the controller action is going to force aRedirectToAction
, or ... - Drop the
RedirectToAction
in favor ofreturn new EmptyResult();
and include anasp-route-returnUrl="/"
on the<form>
tag. However, note that the Identity sample and the doc have no Views; therefore, there's no way via the current sample and doc to show anasp-route-returnUrl
attribute.
Thanks to @PinpointTownes for helpful insight.
@guardrex I read that other looooong issue, and this one, and I still don't get it.
If you want after a logout, to be redirected to "/thanks", then must you do
options.LogoutPath = new PathString("/Account/Logout/ReturnUrl=/thanks");
- or
options.LogoutPath = new PathString("/thanks");
- or do the redirect manually in the logout action
Even now after release of ASP.NET Core 2.0 there is no proper documentation for this anywhere, and the samples are outdated. It seems like you really understand this, so do you mind letting us know how you do it?
@grokky1 I've only been working on docs since March and not on actual enterprise apps. I haven't had to face this issue with an app since we discussed it here; so actually, I don't have additional general advice.
In your case tho, it seems like your option 3 is clean. As you suggest, you can just manually do it in LogOff
(or Logout
) by physically setting the RedirectToAction
to go to your /thanks
view. Nice and clean, as long as you never need to use returnUrl
to go anywhere else. They will always be "thanked for visiting." π
I haven't checked out the new identity stuff (yet!) in 2.0. I do notice tho that they're still doing the same thing with the web starter template: https://github.com/aspnet/Templates/blob/dev/template_feed/Microsoft.DotNet.Web.ProjectTemplates.2.0/content/StarterWeb-CSharp/Controllers/AccountController.cs#L67
I like the idea of returning via returnUrl.
This issue was moved to aspnet/Templating#88