Reputation: 21
Azure AD B2C Front-channel logout URL Not Working
I'm facing an issue with Azure AD B2C for which I'm struggling to find a solution.
I have multiple registered applications, each representing a different product. When I log out of one of these applications, I'd like the sessions in the other applications to be invalidated as well. Upon reviewing the documentation, I discovered that the "Front-channel logout URL" could be the solution to my problem. This functionality, when logging out and providing the idTokenHint, should revoke all sessions of the logged-in user by sending an HTTP GET request. However, this isn't what I'm observing in practice.
To illustrate, I'm using two applications: Application 1, where the login is performed, and Application 2, where the user is already logged in upon accessing it. Both applications can also perform logout. When logging out of either application, the other isn't notified of the logout.
Below are the configurations:
For the second application, I've created an HTTP GET endpoint for validation, and I'm using ngrok to check if Azure AD B2C is indeed calling the endpoint.
Regardless of where the login and logout are performed, the Front-channel is never called. I can log out without issues (when any application attempts to request it, the user needs to log in again, which is the desired behavior.); the problem is that the other application doesn't receive any kind of "notification" that the logout was performed on App 1 and/or App 2, thats keeps the session still active in the other application.
Information about the implementation:
- I followed all the recommendations from the documentation, and my Technical profiles are identical to the recommended ones: here and here.
- I also attempted the implementation from the link, but without success.
- My SUSI policy is using the SingleSignOn method scoped as "Tenant" (doc), EnforceIdTokenHintOnLogout has set as true.
- The Application 1 is using OWIN + .NET FRAMEWORK 4.7 and Application 2 React JS + MSAL.js (allowRedirectInIframe has set as true).
- The both applications is sending the idTokenHint in the logout request.
I tried to re-implement the policies with all the recommendations described in the documentation, however, I was not successful. What I hope is that by logging out of one application, all the other applications that the user has an active session in are also invalidated
Upvotes: 2
Views: 700
Answers (2)
Reputation: 41
I have been working on resolving this issue for the past week, but the accepted solution does not work in my case. Therefore, I am sharing some of my findings based on my experience while troubleshooting this issue:
Custom Policies Requirement: Initially, I was using user flows to address this issue. However, I later discovered that single logout functionality only works with custom policies.
Cookie Sharing in Third-Party Contexts: By default, cookies are not intentionally shared in a third-party context. This means that requests within an iframe will function as expected. Additionally, the Secure attribute must be explicitly set for the cookie to ensure proper behavior.so, cookie sameSite attribute must be none.
If you are using Azure Active directory B2C custom policy starter packthen you need to follow this to logout OR add below code into TrustFrameworkExtensions file.
After implementing the cookie configuration, you should be able to observe the iframe request in the Network tab, which will be directed to the front-channel URL of the other applications.
Below are the cookie configuration images for both the .NET Core application and the legacy application that I have implemented.
.Net Core Configuration
.Net 4.8 Configuration
Upvotes: 0
Reputation: 21
When Application 1 or 2 logged out, I observed in the network inspection tab that Azure AD B2C was not calling the configured URLs. After deleting all my policies and waiting for the cache to clear, I re-uploaded the policies without any changes, and the problem was resolved.
If you are experiencing a similar issue, consider the following actions:
Delete all policies, wait for the Azure AD B2C cache to update, and re-upload the policies.
Verify that the configured URLs are correct.
Ensure that the endpoint you created only clears the cache of your application and does not perform any redirection.
Upvotes: 0
Related Questions
- Logout_hint parameter not being added to AAD identity provider logout URL in B2C custom policy
- Is it possible to use Single Sign-Out for Azure B2C SPA application? Where do you describe the logout URL
- Single Sign Out in Azure AD B2C using Custom policies not working as expected
- Azure AD B2C - other browsing sessions still active after logout
- azure b2c saml logout url
- Azure AD B2C logout issue
- Azure AD B2C Single Logout implementation
- Azure AD B2C won't logout Facebook