OpenIdConnect signout-callback-oidc stays blank

[Ben555555]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

I'm using the following API-endpoint to sign out from my SPA:

[HttpGet("[action]")]
public ActionResult Logout()
{
    return SignOut(new AuthenticationProperties { RedirectUri = "http://localhost:4200/authentication/login" },
        CookieAuthenticationDefaults.AuthenticationScheme,
        "MyScheme");
}

I also enabled SaveTokens in the OpenidConnect options.
Here is what happens

• Client application redirects to API-Endpoint http://localhost:5272/api/Authentication/Logout
• This redirects to "openid-connect/logout?post_logout_redirect_uri=http://localhost:5272/signout-callback-oidc&id_token_hint=..." in keycloak (the IDP I'm using)
• The IDP redirects to http://localhost:5272/signout-callback-oidc?state=CfDJ8DmKONL38F5N
• The page stays blank, the status code is 200

Why isn't it redirecting to the RedirectUri I passed in the SignOut method? It seems to be completely ignored. Only solution I found is to use the "OnRedirectToIdentityProviderForSignOut" event to manually set the post_logout_redirect_uri directly to the final RedirectUri.

Expected Behavior

No response

Steps To Reproduce

No response

Exceptions (if any)

No response

.NET Version

10.0.3

Anything else?

No response

[github-actions]

Triage Summary

Area: area-auth — The issue involves OpenID Connect authentication, specifically the SignOut() method with AuthenticationProperties.RedirectUri and the OIDC signout callback handler.

Type: question — The reporter is asking why the RedirectUri passed to SignOut() is not honored after the /signout-callback-oidc callback. This is likely a misunderstanding of the OIDC signout flow rather than a clear bug. Notably, the IDP URL shows id_token_hint= (empty), which suggests the id token may not be found even though SaveTokens = true is set — this could be the root cause preventing the state from being properly round-tripped through the IDP and back to the callback handler.

Potential Duplicates

• None found

Notes

• The OIDC signout flow works as follows: (1) SignOut() redirects to the IDP with post_logout_redirect_uri pointing to /signout-callback-oidc; (2) the IDP redirects back to /signout-callback-oidc with a state parameter; (3) the OIDC handler reads the state and performs the final redirect to RedirectUri. The blank 200 response suggests the state was not returned by the IDP, likely because the empty id_token_hint caused the IDP (Keycloak) to not echo the state back.
• The author may want to verify: (a) why id_token_hint is empty (check if the id_token is actually saved — SaveTokens = true must be set before the initial sign-in), and (b) whether Keycloak is configured to return the state parameter on logout even without an id_token_hint.
• Steps to reproduce and expected behavior sections were left blank, which makes this harder to investigate as a potential bug.

Generated by Issue Triage Agent for dotnet/aspnetcore for issue #66241 · ● 175.2K · ◷