I have a website that is authenticated by an external instance of IS4.
I am adding the ability to sign in via a authentication code, this code is passed in via an ACR value.
It works, but for robustness I am adding some validation checks for when there is an existing IS4 identity cookie stored on the IS4 domain, from say a previous sign in. In this case, I need to invalidate / sign out of the IS4 identity cookie when certain conditions are met.
I followed the advice given in the answer to this question:
Add checks in IdentityServer login before redirecting to client app
However, IS4 just presents the user with a validation error.
Is there any way to get IS4 to invalidate the identity cookie and present the user with the login screen like it would do if there wasn't an existing identity cookie?
I considered looking for a special error code when the Error action executes, sign out and redirect back to the app so it can repeat the authentication cycle, however the RedirectUrl property on the Error object is a bit useless as it has the client's oidc sign-in url and if I redirect to that, the app will be expecting a correct response to that endpoint to complete the cycle.
I just blogged about how to invalidate issued cookies in ASP.NET Core at
Improving ASP.NET Core Security By Putting Your Cookies On A Diet
Issued cookies are by default not "invalidated" in ASP.NET Core when you signout, and by using a Session Store for the issued cookies (by AddCookie) then you can invalidate any session cookie.
Perhaps you can apply the same technique to IdentityServer.