As part of an app upgrade I needed to make several upgrades(Dot.Net 4.5 > 4.8, Owin and OpenIDConnect. I'm not very familiar with that part of the application, so the code changes below were provided to me and appeared to work fine except for one issue - the previous login & logout behavior has a serious issue - the login and logout processes are behaving incorrectly.

Here is the important part of the legacy startup.cs:

    public void Configuration(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions()
        {
            CookieManager = new SystemWebCookieManager(),
            CookieHttpOnly = true,
            CookieSecure = CookieSecureOption.Always,
            ExpireTimeSpan = TimeSpan.FromSeconds(Convert.ToInt32(_authSessionTimeout)),
            SlidingExpiration = true
        });

        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                // Sets the ClientId, authority, RedirectUri as obtained from web.config
                ClientId = _clientId,
                Authority = _authority,
                RedirectUri = _redirectUri,
                ClientSecret = _clientSecret,

                // Do not use the token lifetime; this setting overrides the expiration of the auth cookie.
                UseTokenLifetime = false,

                // PostLogoutRedirectUri is the page that users will be redirected to after sign-out. In this case, it is using the home page
                PostLogoutRedirectUri = _postLogoutRedirectUri,
                Scope = OpenIdConnectScope.OpenIdProfile,

                // ResponseType is set to request the code id_token - which contains basic information about the signed-in user
                ResponseType = OpenIdConnectResponseType.CodeIdToken,

                // OpenIdConnectAuthenticationNotifications configures OWIN to send notification of failed authentications to OnAuthenticationFailed method
                Notifications = new OpenIdConnectAuthenticationNotifications
                {
                    AuthenticationFailed = OnAuthenticationFailed,
                    RedirectToIdentityProvider = ctx =>
                    {
                        // Prompt the user to login each time
                        ctx.ProtocolMessage.Prompt = "login";

                        // force re-authentication if the user hasn't logged in the last 15 minutes
                        ctx.ProtocolMessage.MaxAge = _authSessionTimeout;

                        return Task.FromResult(0);
                    }
                }
            }
        );
    }

and here is the corresponding part of the new startup.auth.cs:

    public void Configuration(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions()
        {
            CookieManager = new SystemWebCookieManager(),
            CookieHttpOnly = true,
            CookieSecure = CookieSecureOption.Always,
            ExpireTimeSpan = TimeSpan.FromSeconds(Convert.ToInt32(_authSessionTimeout)),
            SlidingExpiration = true
        });

        app.UseOpenIdConnectAuthentication(
            new OpenIdConnectAuthenticationOptions
            {
                // Sets the ClientId, authority, RedirectUri as obtained from web.config
                ClientId = _clientId,
                Authority = _authority,
                RedirectUri = _redirectUri,
                ClientSecret = _clientSecret,

                // Do not use the token lifetime; this setting overrides the expiration of the auth cookie.
                UseTokenLifetime = false,

                // PostLogoutRedirectUri is the page that users will be redirected to after sign-out. In this case, it is using the home page
                PostLogoutRedirectUri = _postLogoutRedirectUri,
                Scope = OpenIdConnectScope.OpenIdProfile,

                // ResponseType is set to request the code id_token - which contains basic information about the signed-in user
                ResponseType = OpenIdConnectResponseType.CodeIdToken,

                // OpenIdConnectAuthenticationNotifications configures OWIN to send notification of failed authentications to OnAuthenticationFailed method
                Notifications = new OpenIdConnectAuthenticationNotifications
                {
                    AuthenticationFailed = OnAuthenticationFailed,
                    RedirectToIdentityProvider = ctx =>
                    {
                        // Prompt the user to login each time
                        ctx.ProtocolMessage.Prompt = "login";

                        // force re-authentication if the user hasn't logged in the last 15 minutes
                        ctx.ProtocolMessage.MaxAge = _authSessionTimeout;

                        return Task.FromResult(0);
                    }
                }
            }
        );
    }

The core problem here is that on login, the LEGACY code includes things like the 'Prompt="login"' while the NEW request does not as shown here:

To be honest, I'm completely lost on what appears to be a problem with the OpenIdConnectAuthenticationNotifications, but I can't find any clear answers to what might be wrong. Any help would be greatly appreciated.