Handling logout without internet connection

[keithlfs]

We're using Duende IdentityServer alongside the OIDC client to manage authentication in a .NET MAUI mobile app.

Occasionally, a user session times out while they’re offline - for example, when travelling through a tunnel on a train. In this situation, the app attempts to log the user out, but fails because it can’t reach the identity server. This results in exceptions being thrown during the logout process.

Question: What’s the recommended approach for handling logout operations when the device has no internet connectivity? Should we queue the logout for later, catch and ignore the error, or is there a more elegant pattern we should be following in this scenario?

Any guidance or examples would be much appreciated!

[aaronclawrence]

I get the impression that until recently OAuth design did not consider network connectivity problems.

In one sense, so long as you clear the tokens in the client, then nobody can use them anymore, so that's effectively a logout. Identity server will still think it's alive but there is no external knowledge of the token so it will eventually timeout and be expired.

Queuing them might be possible, but realistically you can't count on ever being able to send that, and it might even be considered a security risk to hang onto tokens in order to be able to do a "late logout".