Revocation endpoint not configured error on logout after .NET 9 upgrade

[pdevito3]

Which version of Duende BFF are you using? 2.2.0

Which version of .NET are you using? .NET 9

Describe the bug

After upgrading to .NET 9, I'm seeing a Revocation endpoint not configured error when logging out a user. I can repro this by going backward one commit to .NET 8 and then forward where my only change is a .NET 9 upgrade -- specifically, i think it's Microsoft.AspNetCore.Authentication.OpenIdConnect i can confirm it's because of Microsoft.AspNetCore.Authentication.OpenIdConnect -- if i downgrade to 8.0.11 it works again

To Reproduce
Update a BFF project with Microsoft.AspNetCore.Authentication.OpenIdConnect to .NET 9 and try logging out

Expected behavior
I should be able to log out like normal

Log output/exception with stacktrace

{
"type": "https://httpstatuses.io/500",
"title": "Internal Server Error",
"status": 500,
"detail": "Revocation endpoint not configured",
"exceptionDetails": [
{
"message": "Revocation endpoint not configured",
"type": "System.InvalidOperationException",
"raw": "System.InvalidOperationException: Revocation endpoint not configured\n   at Duende.AccessTokenManagement.OpenIdConnect.UserTokenEndpointService.RevokeRefreshTokenAsync(UserToken userToken, UserTokenRequestParameters parameters, CancellationToken cancellationToken) in /_/src/Duende.AccessTokenManagement.OpenIdConnect/UserTokenEndpointService.cs:line 167\n   at Duende.AccessTokenManagement.OpenIdConnect.UserAccessAccessTokenManagementService.RevokeRefreshTokenAsync(ClaimsPrincipal user, UserTokenRequestParameters parameters, CancellationToken cancellationToken) in /_/src/Duende.AccessTokenManagement.OpenIdConnect/UserAccessTokenManagementService.cs:line 140\n   at Microsoft.AspNetCore.Authentication.TokenManagementHttpContextExtensions.RevokeRefreshTokenAsync(HttpContext httpContext, UserTokenRequestParameters parameters, CancellationToken cancellationToken) in /_/src/Duende.AccessTokenManagement.OpenIdConnect/TokenManagementHttpContextExtensions.cs:line 51\n   at Duende.Bff.PostConfigureApplicationCookieRevokeRefreshToken.<>c__DisplayClass5_0.<<CreateCallback>g__Callback|0>d.MoveNext() in /_/src/Duende.Bff/SessionManagement/Configuration/PostConfigureApplicationCookieRevokeRefreshToken.cs:line 50\n--- End of stack trace from previous location ---\n   at Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler.HandleSignOutAsync(AuthenticationProperties properties)\n   at Microsoft.AspNetCore.Authentication.AuthenticationService.SignOutAsync(HttpContext context, String scheme, AuthenticationProperties properties)\n   at Duende.Bff.DefaultLogoutService.ProcessRequestAsync(HttpContext context) in /_/src/Duende.Bff/EndpointServices/Logout/DefaultLogoutService.cs:line 93\n   at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)\n   at Duende.Bff.Endpoints.BffMiddleware.Invoke(HttpContext context) in /_/src/Duende.Bff/EndpointProcessing/BffMiddleware.cs:line 76\n   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)\n   at Hellang.Middleware.ProblemDetails.ProblemDetailsMiddleware.Invoke(HttpContext context)",
"stackFrames": [
{
"filePath": "[/_/src/Duende.AccessTokenManagement.OpenIdConnect/UserTokenEndpointService.cs](https://localhost:4378/_/src/Duende.AccessTokenManagement.OpenIdConnect/UserTokenEndpointService.cs)",
"fileName": "UserTokenEndpointService.cs",
"function": "Duende.AccessTokenManagement.OpenIdConnect.UserTokenEndpointService.RevokeRefreshTokenAsync(UserToken userToken, UserTokenRequestParameters parameters, CancellationToken cancellationToken)",
"line": 167,
"preContextLine": null,
"preContextCode": null,
"contextCode": null,
"postContextCode": null
},
{
"filePath": "[/_/src/Duende.AccessTokenManagement.OpenIdConnect/UserAccessTokenManagementService.cs](https://localhost:4378/_/src/Duende.AccessTokenManagement.OpenIdConnect/UserAccessTokenManagementService.cs)",
"fileName": "UserAccessTokenManagementService.cs",
"function": "Duende.AccessTokenManagement.OpenIdConnect.UserAccessAccessTokenManagementService.RevokeRefreshTokenAsync(ClaimsPrincipal user, UserTokenRequestParameters parameters, CancellationToken cancellationToken)",
"line": 140,
"preContextLine": null,
"preContextCode": null,
"contextCode": null,
"postContextCode": null
},
{
"filePath": "[/_/src/Duende.AccessTokenManagement.OpenIdConnect/TokenManagementHttpContextExtensions.cs](https://localhost:4378/_/src/Duende.AccessTokenManagement.OpenIdConnect/TokenManagementHttpContextExtensions.cs)",
"fileName": "TokenManagementHttpContextExtensions.cs",
"function": "Microsoft.AspNetCore.Authentication.TokenManagementHttpContextExtensions.RevokeRefreshTokenAsync(HttpContext httpContext, UserTokenRequestParameters parameters, CancellationToken cancellationToken)",
"line": 51,
"preContextLine": null,
"preContextCode": null,
"contextCode": null,
"postContextCode": null
},
{
"filePath": "[/_/src/Duende.Bff/SessionManagement/Configuration/PostConfigureApplicationCookieRevokeRefreshToken.cs](https://localhost:4378/_/src/Duende.Bff/SessionManagement/Configuration/PostConfigureApplicationCookieRevokeRefreshToken.cs)",
"fileName": "PostConfigureApplicationCookieRevokeRefreshToken.cs",
"function": "Duende.Bff.PostConfigureApplicationCookieRevokeRefreshToken+<>c__DisplayClass5_0+<<CreateCallback>g__Callback|0>d.MoveNext()",
"line": 50,
"preContextLine": null,
"preContextCode": null,
"contextCode": null,
"postContextCode": null
},
{
"filePath": null,
"fileName": null,
"function": "Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler.HandleSignOutAsync(AuthenticationProperties properties)",
"line": null,
"preContextLine": null,
"preContextCode": null,
"contextCode": null,
"postContextCode": null
},
{
"filePath": null,
"fileName": null,
"function": "Microsoft.AspNetCore.Authentication.AuthenticationService.SignOutAsync(HttpContext context, string scheme, AuthenticationProperties properties)",
"line": null,
"preContextLine": null,
"preContextCode": null,
"contextCode": null,
"postContextCode": null
},
{
"filePath": "[/_/src/Duende.Bff/EndpointServices/Logout/DefaultLogoutService.cs](https://localhost:4378/_/src/Duende.Bff/EndpointServices/Logout/DefaultLogoutService.cs)",
"fileName": "DefaultLogoutService.cs",
"function": "Duende.Bff.DefaultLogoutService.ProcessRequestAsync(HttpContext context)",
"line": 93,
"preContextLine": null,
"preContextCode": null,
"contextCode": null,
"postContextCode": null
},
{
"filePath": null,
"fileName": null,
"function": "Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)",
"line": null,
"preContextLine": null,
"preContextCode": null,
"contextCode": null,
"postContextCode": null
},
{
"filePath": "[/_/src/Duende.Bff/EndpointProcessing/BffMiddleware.cs](https://localhost:4378/_/src/Duende.Bff/EndpointProcessing/BffMiddleware.cs)",
"fileName": "BffMiddleware.cs",
"function": "Duende.Bff.Endpoints.BffMiddleware.Invoke(HttpContext context)",
"line": 76,
"preContextLine": null,
"preContextCode": null,
"contextCode": null,
"postContextCode": null
},
{
"filePath": null,
"fileName": null,
"function": "Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)",
"line": null,
"preContextLine": null,
"preContextCode": null,
"contextCode": null,
"postContextCode": null
},
{
"filePath": null,
"fileName": null,
"function": "Hellang.Middleware.ProblemDetails.ProblemDetailsMiddleware.Invoke(HttpContext context)",
"line": null,
"preContextLine": null,
"preContextCode": null,
"contextCode": null,
"postContextCode": null
}
]
}
],
"traceId": "00-9c032e0020fbc4cedb90d73e6348a67f-c4df52ce3a60309d-00"
}

[RolandGuijt]

Duende.AccessTokenManagement, a library Duende BFF relies on doesn't support this yet. ASP.NET Core 8 on .NET 8 references Microsoft.IdentityModel.* version 7.x and that is what we are currently supporting.

We are working on this however. Progress on this can be tracked here.