Azure static web app custom identity provider

Question

Azure static web app custom identity provider

Ivan b 0

Hi,

I have an Azure static webapp behind azure Front door. The authentication is implemented using a custom identity provider (ws02) OIDC configured in staticwebapp.config.json.

My Problem occurs when I log out from the static web app, no redirect to login page will be triggered and I'm still logged in.

Could you please give inputs related to use case? Are there known issues with custom identity provider?

I have also figured out that the static web app returns a 401 in a safari browser on macOS. Could you provide some inputs?

Kindly regards

IB

4 answers

Your answer

Answer 1

Konstantinos Passadis 19,586 MVP

Hello @Ivan b !

Welcome to Microsoft QnA!

For your case i suggest :

Check the Developer Tools from your browser to see the response in general use of the Static App

Check the Caching and Cookie settings on Front Door , make sure to work with different configs, start without Caching for example

https://learn.microsoft.com/en-us/azure/frontdoor/front-door-caching?pivots=front-door-standard-premium

The Identity Provider also is a major part on the configuration with settings for endpoints for login, logout, etc which you have to carefully set up!

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards

Ivan b 0

Hi Konstantinos,

Thanks for the feedback!

The cache is disable for Azure front door.

Here the section in my staticwebapp.config.json :

 "routes": [

	... // other routes

    {

      "route": "/login",

      "redirect": "/.auth/login/wso2?post_login_redirect_uri=/",

      "headers": {

        "Cache-Control": "no-store"

      }

    },

    {

      "route": "/logout",

      "redirect": "/.auth/logout?post_logout_redirect_uri=/logged-out",

      "headers": {

        "Cache-Control": "no-store"

      }

    }

  ],

  "auth": {

    "rolesSource": "/api/roles",

    "identityProviders": {

      "customOpenIdConnectProviders": {

        "wso2": {

          "registration": {

            "clientIdSettingName": "WSO2_CLIENT_ID",

            "clientCredential": {

              "clientSecretSettingName": "WSO2_CLIENT_SECRET"

            },

            "openIdConnectConfiguration": {

              "wellKnownOpenIdConfiguration": "https://{ws02-url}/.well-known/openid-configuration"

            }

          },

          "login": {

            "nameClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",

            "scopes": ["openid"],

            "loginParameterNames": []

          }

        }

      }

    }

  },

On the Ws02 side, the identity server is configured for OIDC authentication with code flow!

Answer 2

@Ivan b It seems that you have already disabled the cache for Azure Front Door and have set up the endpoints for login and logout in your staticwebapp.config.json file, which is what I would have started.

Regarding the issue with logout, you may want to check if the logout endpoint is being called correctly. When your web app redirects the user to the logout endpoint, this endpoint clears the user's session from the browser. If your app didn't go to the logout endpoint, the user will reauthenticate to your app without entering their credentials again. The reason is that they'll have a valid single sign-in session with the Microsoft identity platform.

To check if the logout endpoint is being called correctly, you can use the developer tools in your browser.

Open the developer tools in your browser.
Go to the "Network" tab.
Log out of your app.
Look for a request to the logout endpoint in the network traffic. The URL should be something like /.auth/logout.
Check the response to see if it was successful. The response should be a redirect to the post_logout_redirect_uri that you specified in your staticwebapp.config.json file.

If you don't see a request to the logout endpoint, it's possible that the logout button in your app is not configured correctly. You may want to double-check the configuration in your staticwebapp.config.json file to make sure that the redirect URL is correct.

Regarding the issue with Safari browser on macOS (I understand this less and might need you to provide more details), you may want to check if the browser is blocking cookies. Cookies are used to maintain the user's session, so if they are blocked, the user will not be able to log in or stay logged in.

Answer 3

Hello @Ivan b !

Make sure that the logout URL specified in the redirect property of the /logout route is correct and matches the expected URL for logging out from the custom identity provider (ws02). Double-check that the URL is accessible and performs the necessary logout actions.
Check the post_logout_redirect_uri parameter: Make sure that the post_logout_redirect_uri parameter specified in the logout URL matches the expected URL for redirecting the user after logout. Confirm that the URL is correctly configured in the custom identity provider (ws02) as well.

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards

Answer 4

Ivan b 0

Hi there,

Sorry for this late answer!

Here my feedback:

Even if my Azure SWA calls the endpoint .auth/logout I'm still logged in by refershing the page.
The wso2 documentation states that a id_token_hint parameter is needed in the post_redirect_uri to have a successfull logout redirect. But Azure support has confirmed me that Azure SWA does not deliver (yet) this id_token_hint information (even it's a part of OpenID connect rfc: https://openid.net/specs/openid-connect-rpinitiated-1_0.html#toc) . no ETA could be given.

If you've some workaround, I would appreciate it

brtrach-MSFT 17,731 Reputation points Microsoft Employee Moderator

2023-07-31T23:36:04.2366667+00:00
@Ivan b If the Azure Static Web App does not deliver the id_token_hint parameter in the logout redirect, it may not be possible to log out successfully using your custom identity provider (ws02) OIDC.

One workaround you could try is to implement a logout button in your app that calls the logout endpoint of your custom identity provider directly. This way, you can ensure that the id_token_hint parameter is included in the logout request.

Another option is to switch to a different identity provider that is fully supported by Azure Static Web Apps and provides the id_token_hint parameter in the logout redirect.

Here is a list of identity providers that are fully supported by Azure Static Web Apps:

Azure Active Directory

Facebook

GitHub

Google

Twitter

Microsoft Account

Share via

Azure static web app custom identity provider

4 answers

Your answer