In a Blazor SSR web app, I have configured the OIDC authentication and the RemoteSignOutPath has been set.
builder.Services .AddAuthentication(options => { options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme; }) .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options => { // ... }) .AddOpenIdConnect(options => { options.RemoteSignOutPath = "/oidc-remote-logout"; // ... });According to OpenID Connect Back-Channel Logout spec, I need to post a logout token to this endpoint. When I do, I get 400 Bad Request response:
A valid antiforgery token was not provided with the request. Add anantiforgery token, or disable antiforgery validation for thisendpoint.
How can I solve this issue?
Does the framework handle this endpoint and its token validation by itself or do I have to implement it?
This is the middleware orders:
// ...builder.Services.AddRazorComponents();var app = builder.Build();if (app.Environment.IsDevelopment()){ app.UseDeveloperExceptionPage();}else{ app.UseExceptionHandler("/error");}app.MapStaticAssets();app.UseAuthentication();app.UseAuthorization();app.UseAntiforgery();app.MapPost("/logout", async (HttpContext httpContext) =>{ await httpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme); await httpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme);});app.MapRazorComponents<App>();