id_token_hint missing on signout with Dynamic Identity Providers

[Achill113]

Which version of Duende IdentityServer are you using?
6.3.5

Which version of .NET are you using?
net6.0

Describe the bug
When signing out of a dynamic identity provider from the AspNetCore MVC UI from the Duende IdentityServer 6 EntityFrameworkCore template, the id_token_hint query parameter is missing.

If I call HttpContext.GetTokenAsync("id_token") from /Pages/Account/Logout/Index.cshtml.cs it returns the id_token, but when placing a breakpoint in the OpenIdConnectHandler where the IdTokenHint should be added to the request (OpenIdConnectHandler.cs Ln 247), the id_token is null.

// /Pages/Account/Logout/Index.cshtml.cs

public async Task<IActionResult> OnPost()
{
    if (User?.Identity.IsAuthenticated == true)
    {
        // if there's no current logout context, we need to create one
        // this captures necessary info from the current logged in user
        // this can still return null if there is no context needed
        LogoutId ??= await _interaction.CreateLogoutContextAsync();

        // delete local authentication cookie
        await _signInManager.SignOutAsync();

        // raise the logout event
        await _events.RaiseAsync(new UserLogoutSuccessEvent(User.GetSubjectId(), User.GetDisplayName()));

        // see if we need to trigger federated logout
        var idp = User.FindFirst(JwtClaimTypes.IdentityProvider)?.Value;

        // if it's a local login we can ignore this workflow
        if (idp != null && idp != Duende.IdentityServer.IdentityServerConstants.LocalIdentityProvider)
        {
            // we need to see if the provider supports external logout
            if (await HttpContext.GetSchemeSupportsSignOutAsync(idp))
            {
                // build a return URL so the upstream provider will redirect back
                // to us after the user has logged out. this allows us to then
                // complete our single sign-out processing.
                string url = Url.Page("/Account/Logout/Loggedout", new { logoutId = LogoutId });

                // this triggers a redirect to the external provider for sign-out
                return SignOut(new AuthenticationProperties { RedirectUri = url }, idp);
            }
        }
    }

    return RedirectToPage("/Account/Logout/LoggedOut", new { logoutId = LogoutId });
}

To Reproduce

1. Setup Dynamic Identity Providers with "oidc" providers.
2. Sign in
3. Sign out

Expected behavior
Should be redirected to the Identity Provider with an id_token_hint query parameter.

A clear and concise description of what you expected to happen.

Log output/exception with stacktrace

Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler - AuthenticationScheme: idsrv was not authenticated.

Additional context

I am trying to integrate with Okta as an Identity Provider which requires id_token_hint when logging out.

[AndersAbel]

Are you using Asp.Net Identity in your application? Do you know what the DefaultScheme is set to in your application?

[Achill113]

@AndersAbel Yes I am using Asp.Net Identity. The SignOutScheme is idsrv and the SignInScheme is idsrv.external.

[AndersAbel]

If you are using Asp.Net Identity the default scheme is changed to IdentityConstants.ApplicationScheme, with the value of Identity.Application. Please try changing the SignOutScheme property of the OpenId Connect Options to IdentityConstants.ApplicationScheme. That should wire up the schemes correctly and let the OIDC handler find the id_token.

[Achill113]

@AndersAbel that worked, thank you so much! Is this mentioned in your documentation anywhere? If so I'd like to reference it in our internal Knowledge Base.

[AndersAbel]

No, it's not explicitly documented. But it's a good idea as this is a common source of confusion. I've added it to my backlog: DuendeSoftware/docs.duendesoftware.com#367

[Achill113]

Thank you again! I've thoroughly tested it, and it seems to be working great!