Reputation: 2048
Azure AD Logout URL not redirecting
I am building the following URL
https://login.microsoftonline.com/<tenantid>/oauth2/logout?client_id=<clientId>&post_logout_redirect_uri=<encodedurl>
It looks something like
https://login.microsoftonline.com/f4aaf6e1-ffff-ffff-bb63-4e8ebf728113/oauth2/logout?client_id=f562b4e3-ffff-ffff-b4bb-49ca64216e75&post_logout_redirect_uri=https%3A%2F%2Fmyazureapp.azurewebsites.net
It logs me out but does not redirect me back to my app
Like this URL does for azure
https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri=https%3a%2f%2fmanage.windowsazure.com%2fSignOut%2fComplete
I have looked at the suggested related Q's and I have tried a few variations.
Edit it turned out to be an intermitted issue which I guess was due to some cookies / other state not be reset when I was doing my dev / test cycles. With a fresh browser it works. When it works the sign out screen says something like "Hang on a moment while we sign you out" then it redirects, when it does not work the screen says "you have been signed out, please close your browser"
Upvotes: 17
Views: 71739
Answers (5)
Reputation: 171
Below logout url works for me , without configuring logout URL in azure app. [Front-channel logout URL]
here baseurlOfdWebsite should be URL Encoded
Upvotes: 2
Reputation: 191
With Python, Flask and MSAL 2.0 I did the following:
@app.route("/logout")
def logout():
logout_user()
if session.get("user"): # Used MS Login
# Wipe out user and its token cache from session
session.clear()
# Also logout from your tenant's web session
redirect(
Config.AUTHORITY
+ "/oauth2/v2.0/logout"
+ "?post_logout_redirect_uri="
+ url_for("login", _external=True, _scheme="https")
)
app.logger.info("Logging user out.")
return redirect(url_for("login"))
In Azure Portal configured my endpoints like this:
Environment variables are configured like this
# Oauth - Azure Active Directory and MSAL
export CLIENT_SECRET=<your-client-secret>
export CLIENT_ID=<your-client-id>
export REDIRECT_PATH=/getAToken
export SESSION_TYPE=filesystem
export AUTHORITY=https://login.microsoftonline.com/common
export SCOPE=User.Read
export SESSION_TYPE=filesystem
config.py file
import os
from dotenv import load_dotenv
basedir = os.path.abspath(os.path.dirname(__file__))
load_dotenv(os.path.join(basedir, ".env"))
class Config(object):
### Info for MS Authentication ###
### As adapted from: https://github.com/Azure-Samples/ms-identity-python-webapp ###
CLIENT_SECRET = os.environ.get("CLIENT_SECRET")
# In your production app, Microsoft recommends you to use other ways to store your secret,
# such as KeyVault, or environment variable as described in Flask's documentation here:
# https://flask.palletsprojects.com/en/1.1.x/config/#configuring-from-environment-variables
# CLIENT_SECRET = os.getenv("CLIENT_SECRET")
# if not CLIENT_SECRET:
# raise ValueError("Need to define CLIENT_SECRET environment variable")
AUTHORITY = os.environ.get("AUTHORITY") # For multi-tenant app, else put tenant name
# AUTHORITY = "https://login.microsoftonline.com/Enter_the_Tenant_Name_Here"
CLIENT_ID = os.environ.get("CLIENT_ID") #
REDIRECT_PATH = os.environ.get(
"REDIRECT_PATH"
) # Used to form an absolute URL; must match to app's redirect_uri set in AAD
# You can find the proper permission names from this document
# https://learn.microsoft.com/en-us/graph/permissions-reference
SCOPE = [os.environ.get("SCOPE")] # Only need to read user profile for this app
SESSION_TYPE = os.environ.get(
"SESSION_TYPE"
) # Token cache will be stored in server-side session
Upvotes: 0
Reputation: 21
I had this issue aswell, what worked for me is:
- I added my logout URL in the properties, and as reply URL aswell.
- The logout button has the following href:
https://login.windows.net/<tenant_id_of_your_app>/oauth2/logout?post_logout_redirect_uri=<logout_URL_of_your_app>/logout
Upvotes: 2
Reputation: 14649
I am assume you were using the OpenIDConnect flow and want to sign user out. To ensure the redirection from Azure AD to the URL we specify with post_logout_redirect_uri parameter, we need to register in the Reply URLs of app register on the Azure portal.
After that, we also need to ensure that the users are sign-in out in Azure AD successfully. For example, we sign-in the user after that we sign-out the user. This time the redirect should work expected. Then we send a sign-out request again, then this time the redirection will not work since the user already be sign-out.
In-addition, there is no need to provide the client_id parameter for the request to end_session_endpoint via OpenIdConnect flow. More detail about this OpenIdConnect, you can refer the document below:
Authorize access to web applications using OpenID Connect and Azure Active Directory
Upvotes: 1
Reputation: 6245
Set the Logout URL property in your AD application.
- Log into the AAD admin center portal
- Go to App registrations as shown
- Select your AD application
- Go to Properties
- Update your intended application logout redirection URL as shown
- Save
Upvotes: 10
Related Questions
- Post_Logout_Redirect_Uri does not redirect when authenticating using azure
- Azure Logout Redirect (post_logout_redirect_uri) is not working
- Azure AD is not redirecting to the MDM term of use URL
- How to specify custom logout URL when using Azure AD authentication in .NET core
- Azure AD SSO not getting redirected after logout
- Unable to redirect on an url on post logout azure AD
- Azure active directory authentication library (ADAL) logout not working
- Azure Active Directory Post sign out URL
- Azure Active Directory Logout with ADAL library
- Azure AD Logout Url - Redirect not working