Consider revisiting OpenIdConnectOptions.PostLogoutRedirectUri in 2.0.0

[kevinchalet]

This is indeed a breaking change, which is quite subtile as existing code will still compile. At this point, it might be better to completely remove PostLogoutRedirectUri as it now has no added value and is quite confusing (with this PR, it's more like an equivalent to the return URL, but for logout). Alternatively, it should be marked as obsolete and removed in a future version.

#925 (comment)

Now that the OIDC middleware has a dedicated "post logout endpoint", this property doesn't make much sense. I suggest removing PostLogoutRedirectUri in 2.0.0 to re-align the signout logic with the login flow (i.e honor AuthenticationProperties.RedirectUri when it's specified by the dev' and fall back to the current URL when it's not).

/cc @Tratcher

[Tratcher]

Returning to the current url doesn't make sense as a fallback, it would likely cause a signout redirect loop.

[kevinchalet]

Returning to the current url doesn't make sense as a fallback

That's what the OIDC middleware does in the 1.1.0 bits when PostLogoutRedirectUri is set to null:

// Get the post redirect URI.
var properties = new AuthenticationProperties(signout.Properties);
if (string.IsNullOrEmpty(properties.RedirectUri))
{
    properties.RedirectUri = BuildRedirectUriIfRelative(Options.PostLogoutRedirectUri);
    if (string.IsNullOrWhiteSpace(properties.RedirectUri))
    {
        properties.RedirectUri = CurrentUri;
    }
}

That said, you have a valid point. Maybe it would be better to simply rename PostLogoutRedirectUri to a less confusing name (i.e that doesn't conflict with the OIDC parameter name).

[Eilon]

How about the property setter for PostLogoutRedirectUri should throw if it is set to null-or-empty?

I don't think we'd get rid of this property entirely because it has some use. And renaming it would be a minimal improvement with high cost. We could certainly update the doc comments on the property if what we have now is misleading.

[kevinchalet]

How about the property setter for PostLogoutRedirectUri should throw if it is set to null-or-empty?

Why not. Removing it and redirecting the user to the root when no AuthenticationProperties.RedirectUri is specified could be another option.

We could certainly update the doc comments on the property if what we have now is misleading.

Yeah, that would be ideal.