Reputation: 803
Post_Logout_Redirect_Uri does not redirect when authenticating using azure
Using OWIN & OpenId to authenticate users for my basic web application using Azure Active Directory, as described in the Readme.md in Microsoft's sample project here:https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect
The following item is in my web.config:
<add key="ida:PostLogoutRedirectUri" value="https://localhost:44320/" />
The Startup.Auth is as follows:
private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
private static string tenant = ConfigurationManager.AppSettings["ida:Tenant"];
private static string postLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];
string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
RedirectUri = "https://localhost:44320/Home/About",
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = context =>
{
context.HandleResponse();
context.Response.Redirect("/Error?message=" + context.Exception.Message);
return Task.FromResult(0);
}
}
});
}
}
However the microsoft.com website does not redirect even though the redirect URI made it into it's URL
Upvotes: 10
Views: 6129
Answers (2)
Reputation: 803
I spent a lot of time properly figuring out how to get this to work. Even though 3 years ago we just didn't bother. There seemed to be a lot of people on the internet with this issue and I wanted to make sure this is answered for everyone.
The solution below applies for the issue occurring for a standard Azure AD. It also applies to Azure AD B2C, in the circumstance where you sign in with an organizational account. (Note that this solution does not cover the new b2clogin URIs and user flow technique, as it didn't exist at the time that I asked the question)
At the time this was asked, there appeared to be a bug of some kind in Azure. A workaround was as follows: The URI you are using as a post logout redirect must be specified in both the reply URLs and as the Front Channel Logout URL. Normally front-channel logout is a silent request that the IDP sends to your application to allow you to run logic to clear cookies, but doesn't cause a redirect. Before implementing this you should check if Microsoft has fixed the issue.
Be careful of accidentally adding trailing slashes at the end of your URIs. Try to keep them perfectly identical here and in your client application.An authority of the form
https://login.microsoftonline.com/<org-name>.onmicrosoft.com/V2.0would not work. For a standard Azure AD I had to change the authority to be of the formhttps://login.microsoftonline.com/<tenant-id>/V2.0for a specific tenant orhttps://login.microsoftonline.com/common/V2.0which is also used in some scenarios I think. For B2C AD tenants it only works for thecommonendpoint above.
Side note 1: with the common endpoint you have to set ValidateIssuer to false in the token validation parameters or you will get an exception. Doing the validation correctly is outside the scope of this SO question.
Side note 2: When searching for this issue on Google you might come across some solutions to the problem for people authenticating against Identity Server. The solutions and the specification suggest you to add an id_token_hint to your signout request. This was neither sufficient nor necessary for me to get the redirect working for Azure AD.
Upvotes: 5
Reputation: 4408
If it doesn't work anyway be aware of this Azure AD post logout redirection behavior, that caused troubles in my case:
- It didn't work for root accounts of the tenant, that is my personal account, which created Azure subscription.
- But it worked for new accounts I created inside of my subscription.
Upvotes: 0
Related Questions
- Azure Logout Redirect (post_logout_redirect_uri) is not working
- Azure AD Logout URL not redirecting
- post_logout_redirect_uri ASP NET Core 2.2 AzureAD Razor Class Library RCL
- How to get Azure OIDC to respect my redirect URI?
- ASP.Net Owin Authentication.SignOut not redirecting user via RedirectUri on sign out
- Unable to redirect on an url on post logout azure AD
- Azure AD - openid connect post_logout_redirect_uri when user does have a session
- Redirection from Azure Active Directory authentication doesn't handle anchor in the URL in ASP.NET project with OpenID Connect?
- redirect_uri containing query string does not match configured redirect URL's
- Azure AD Logout Url - Redirect not working