Logout from iOS app without cookies

[bednart]

Which version of Duende IdentityServer are you using?
7.0.6

Which version of .NET are you using?
.NET 8

Hi,
I have implemented AspNetIdentity together with OIDC and it works great for desktop browsers and Android app where cookies work well. Problem is with iOS where cookies are not sent with requests. Main problem is with logout requests and ticket store.

I have configured ITicketStore for default Identity.Application scheme

services.AddSingleton<ITicketStore, SqlTicketStore>();
        services.AddOptions<CookieAuthenticationOptions>(IdentityConstants.ApplicationScheme)
            .Configure<ITicketStore>((options, store) =>
            {
                options.SessionStore = store;
                options.ExpireTimeSpan = TimeSpan.FromDays(14);
                options.SlidingExpiration = true;
            });

If there is a logout request using connect/endsession endpoint than CookieAuthenticationHandler.HandleSignOutAsync() method is called internally which, if threre is a cookie sent with request, successfully deletes ticket from session store.

Problem is with iOS mobile app. By default no cookie is send together with logout request so no ticket is deleted from session store and sessions remains there forever (if there is no automatic deletion of expired tickets).

So my questions are. What is the best practice using OIDC and iOS? Should we make sure than cookies are also sent on iOS or is there another way how to delete ticket from session store without cookie?

What I tried was to add [Authorize] attribute on account/logout endpoint which is internally called after connect/endsession endpoint is processed. Than iOS app sends accessToken together with connect/endsession request and ticket from session store was deleted manualy using sid (session ID) claim from HttpContext.User. But I am not sure if this is right way.

Thanks for your help.

Tomáš