Azure AD B2C Front-channel logout URL Not Working
I'm facing an issue with Azure AD B2C for which I'm struggling to find a solution.
I have multiple registered applications, each representing a different product. When I log out of one of these applications, I'd like the sessions in the other applications to be invalidated as well. Upon reviewing the documentation, I discovered that the "Front-channel logout URL" could be the solution to my problem. This functionality, when logging out and providing the idTokenHint, should revoke all sessions of the logged-in user by sending an HTTP GET request. However, this isn't what I'm observing in practice.
To illustrate, I'm using two applications: Application 1, where the login is performed, and Application 2, where the user is already logged in upon accessing it. Both applications can also perform logout. When logging out of either application, the other isn't notified of the logout.
Below are the configurations:
For the second application, I've created an HTTP GET endpoint for validation, and I'm using ngrok to check if Azure AD B2C is indeed calling the endpoint.
Regardless of where the login and logout are performed, the Front-channel is never called. I can log out without issues (when any application attempts to request it, the user needs to log in again, which is the desired behavior.); the problem is that the other application doesn't receive any kind of "notification" that the logout was performed on App 1 and/or App 2, thats keeps the session still active in the other application.
Information about the implementation:
- I followed all the recommendations from the documentation, and my Technical profiles are identical to the recommended ones: here and here.
- I also attempted the implementation from the link, but without success.
- My SUSI policy is using the SingleSignOn method scoped as "Tenant" (doc), EnforceIdTokenHintOnLogout has set as true.
- The Application 1 is using OWIN + .NET FRAMEWORK 4.7 and Application 2 React JS + MSAL.js (allowRedirectInIframe has set as true).
- The both applications is sending the idTokenHint in the logout request.
I tried to re-implement the policies with all the recommendations described in the documentation, however, I was not successful. What I hope is that by logging out of one application, all the other applications that the user has an active session in are also invalidated
When Application 1 or 2 logged out, I observed in the network inspection tab that Azure AD B2C was not calling the configured URLs. After deleting all my policies and waiting for the cache to clear, I re-uploaded the policies without any changes, and the problem was resolved.
If you are experiencing a similar issue, consider the following actions:
Delete all policies, wait for the Azure AD B2C cache to update, and re-upload the policies.
Verify that the configured URLs are correct.
Ensure that the endpoint you created only clears the cache of your application and does not perform any redirection.
- KeyCloak Integration with Azure B2C UserName Mapping Issue
- How do I programmatically clear or update a phone number for Azure AD B2C MFA?
- B2C - How to override sign up now link (custom policy)
- Azure B2C IdP-Access Token fails with IDX10511: Signature validation failed
- B2C Sign-up screen shows {OIDC:LoginHint} instead of the login
- During signIn receiving B2C error code ‘AADB2C99059’
- Azure B2C / WPF - Handling a failed MFA verification flow
- Assign B2C User to ExternalAzureAD identity
- AADB2C90304: User journey went into a bad state. Claims exchange with id 'LocalAccountSigninEmailExchange' could not be found in orchestration step
- "AADSTS900144: The request body must contain the following parameter: 'grant_type'.?
- Sign in to Azure B2C with an OpenID account (Microsoft Work email) but prevent user from signing up
- Azure b2c still authenticated after hitting logout
- Can Azure AD B2C send extension attributes without the extension prefix on a SAML token in a SAML IdP-initiated SSO flow?
- Azure B2C Signup page
- Azure B2C integration not working on app built using pwabuilder for iOS
- Azure AD B2C problem with Self-Service password reset
- use of b2clogin.com when acquiring token with Client Credential Grant Flow
- Azure B2C does not receive script information written in HTML files uploaded to storage
- Azure B2C: Edit Profile via a single page
- Azure b2c cutom policy signin validation profile
- Mendix and Azure Ad B2C AuthRequest does not have assertion consumer service URL
- Azure Active Directory B2C: How to query MS Graph to get a user's alternative security ID?
- Did B2C user creation defaults change regarding password reset?
- Refresh Tokens and MicrosoftIdentityWebApp
- ADB2C Social Log in - what is the difference between alternateSecurityId and userIdentity?
- To allow external client application users to access B2C Integrated client website
- Correlation failed in asp.net core
- Custom attribute as stringCollection on Azure AD B2C
- How to get detailed exception in Azure B2C Custom policy by Correlation ID?
- Authenticating with Azure AD B2C Issue