Share via

Forcing user logout after password change in Azure B2C

Michael Haggren 0 Reputation points
2024-05-07T07:27:43.8566667+00:00

Hello,

I have two separate applications - a SPA-web application and a mobile application. I have set up user journeys and technical profiles that redirect users to reset their passwords when needed. However, I'm having trouble figuring out how to log out the user from both the web and mobile apps once they have reset their password. Azure B2C does not have a "revoke" endpoint for tokens like GCP and Amazon do.

I have setup a front-channel logout URL that clears the user's cookies and session after they press the logout button on the website, that happens after I call the B2C logout url, and passes the front-channel logout url as the redirect uri.

I would like to accomplish the same thing using custom policies. Specifically, I want to force a user to log out after they have manually changed their password or completed the "reset password" flow. I have tried using the "revokeSignInSessions" endpoint with Microsoft Graph, but it did not work.

Has anyone been in a similar scenario and successfully implemented something like this?

Best regards, M

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,942 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Hamil 22,436 Reputation points Microsoft Employee
    2024-05-09T18:38:35.35+00:00

    Hi @Michael Haggren , while Azure B2C does not have a "revoke" endpoint for tokens like GCP and Amazon do, there are a few ways that you can accomplish this.

    One approach is to use a custom policy to force the user to log out after they have reset their password. You can do this by adding a "Logout" technical profile to your custom policy that is triggered after the user has successfully reset their password. The "Logout" technical profile should include the "revokeSignInSessions" endpoint with Microsoft Graph to revoke the user's tokens and force them to log out of all applications.

    Here is an example of what the "Logout" technical profile might look like:

    <TechnicalProfile Id="Logout">
  <DisplayName>Logout</DisplayName>
  <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.AzureActiveDirectoryProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
  <Metadata>
    <Item Key="client_id">your_client_id</Item>
    <Item Key="IdTokenAudience">your_client_id</Item>
    <Item Key="revoke_tokens_endpoint">https://graph.microsoft.com/v1.0/users/{objectId}/revokeSignInSessions</Item>
    <Item Key="UsePolicyInRedirectUri">false</Item>
  </Metadata>
  <InputClaims>
    <InputClaim ClaimTypeReferenceId="objectId" />
  </InputClaims>
  <OutputClaims />
  <IncludeTechnicalProfile ReferenceId="AAD-Common" />
</TechnicalProfile>

    You can then add a "ValidationTechnicalProfile" to your password reset user journey that calls the "Logout" technical profile after the user has successfully reset their password. Here is an example of what the "ValidationTechnicalProfile" might look like:

    <ValidationTechnicalProfiles>
  <ValidationTechnicalProfile ReferenceId="LocalAccountWritePasswordUsingObjectId" />
  <ValidationTechnicalProfile ReferenceId="Logout" />
</ValidationTechnicalProfiles>

    This will ensure that the user is logged out of all applications after they have reset their password.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James