I tried to set https://localhost:44369/Account/Login to post_logout_redirect_url and result is that login page still remembers tenant and when user is trying to logout user ends up as logged in again but not back to application. User ends to auth server main page as logged in like this. 
But problem is that auth server is remembering tenant by that __tenant cookie(I assume). And when I logout auth server login page automatically fill tenant to Selected organization.
Currently I have created logged-out page at my frontend which is not protected by auth guard so it will no trigger authentication process. In that page I have button which redirect user to my application root(/logged-out/ ---> /). So when user clicks that button authentication process starts and user is redirected to auth servers loginpage. When user or apparently page itself(from cookie) select organization which only have one external provider configurated, it redirects user to immediatelly to that providers page and login page is not even shown to user. So how can I clear that auth server won't remember tenant?
Here are those authserver configurations from frontend. What I need to configure and where to achive what you suggest ("pass to the logout page a returnUrl to your login page")?
Here are my current localhost settings.
Do I need to add something when I call that logout function? That logout function can take some queryparameters.
I'm returning this later
I'm returning this later
I'm returning this later
The return URL (https://application-test.ab.app/logged-out in this case) must be registered in the PostLogoutRedirectUris column of your OpenIddictApplications table — otherwise, the redirect won’t be accepted.
Here in your example url is to application url. Did you ment auth-server url? And is correct url in auth server Account/logout? Or do you ment that I first redirect with postlogouturl and I also add some other returnurl that after user is directed to Account/Logout user is redirected also to logged-out url in my application? I'm little bit confused how this should be configured. And what makes auth server to forget __tenant.
My logout button is using import { AuthService } from '@abp/ng.core'; authService.logout().subscribe();
Thank for you suggestion. So in option 1 do I need to configure post logout url which goes to OpenIddictApplications tables PostLogoutRedirectUris column? And do you talking about this where I need to configure redirect uri?https://github.com/abpframework/abp/blob/8.3.4/modules/account/src/Volo.Abp.Account.Web/Pages/Account/Logout.cshtml.cs So instead of setting my appplication logged-out path to post redirect logout uri I set auth servers /Account/Logout to same redirect path?
So we need to take auth code to our repo. We have tried to avoid that to ease versio upgrades. But maybe we this is only temporal solution and after we update to 9 there is already that fix and we can remove our custom code. What is minimum amount of code/module we need to take and override? Do we need to override only login and registration pages and is it possible to only override them and not take whole auth server code base?
So is this going to be fixed when? And is change coming only to 9 version or also to 8 version? And how big security risk do you think this is? Because for my perspective it is quite big.
When tenant has only one third party auth provider set to use and local login is not in use user is forwarded to thrid party login page automatically as you know. If that user click logout, user is redirected to logged-out page in our application after user is logged out. In that page I added button which user can click and return to application. What if user wants to change Tenant to other. Like our user suppport. They use impersonator so they can go any tenant. Now if they go to any tenant which have local login disabled and azure login is used for example they cannot change tenant anymore in login page because auth server is remembering tenant and redirecting to microsoft login page before user can change tenant.
In local environment with ng serve both applications are in same domain, localhost. In that scenario it was enough to clear __tenant cookie from cookie. But now it is not working in our Azure environemnt where application is in application-test.ab.app and auth server is auth.application-test.ab.app. When I'm in application I see this cookie.
Currently I am trying this to forget tenant when user is logging out:
cookieService.delete('__tenant', '/');
sessionStateService.setTenant(undefined);
I use ngx-cookie-service to delete cookie. I also tried to set tenant to undefined.
I know that I cannot delete cookie from another domain. So do you have any solution to forget selected tenant. I only need to do this for tenants which are not using local login.
