Problem implementing front channel logout with angular 11 SPA and msal v2

Majumder, Joyeeta 11 Reputation points
2022-11-04T15:58:24.763+00:00

Hi,

We have an angular 11 SPA registered with a redirect uri and front channel logout url in Azure B2C.
The front channel logout url points to our application and looks like this

https://xxxx.xx.com/logout.

This endpoint points to a component where we invoke msalService.logoutRedirect().

We have multiple applications connected to the single sign-on.

Logout from the SPA works perfectly.
But if I logout from the SPA, then user remains logged in, in the other applications.

We have followed all the documentation and made changes in the policy too.
But the front channel logout url does not seem to work.

While looking for a solution I came across a post here where the solution suggests that the logout url should look like this - https://<your-tenant-name>.b2clogin.com/<your-tenant-name>.onmicrosoft.com/<PolicyName>/oauth2/v2.0/logout

Is this the correct form for front-channel logout URL? because the documentation says :

In your application, create a dedicated logout page. This page should not perform any other function, such as acquiring tokens on page load (see below for details). Note, this page will be loaded in a hidden iframe.

Requirements for front-channel logout page
The page used for front-channel logout should be built as follows:

On page load, automatically invoke the MSAL logoutRedirect API.
In the PublicClientApplication configuration, set system.allowRedirectInIframe to true.
When invoking logout, we recommend preventing the redirect in the iframe to the logout page (see above).

Please suggest which is the correct solution.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,713 questions
{count} vote

1 answer

Sort by: Most helpful
  1. Shweta Mathur 28,846 Reputation points Microsoft Employee
    2022-11-09T11:23:24.23+00:00

    Hi @Majumder, Joyeeta ,

    Thanks for reaching out and apologies for delay in response.

    When you redirect the user to the Azure AD B2C sign-out endpoint, Azure AD B2C clears the user's session from the browser.

    To clear the Azure AD B2C cookie session you need to redirect the user to the https://<your-tenant-name>.b2clogin.com/<your-tenant-name>.onmicrosoft.com/<PolicyName>/oauth2/v2.0/logout through front channel logout URL which enables Azure AD B2C to notify your application when a single sign-out has been requested from another application.

    When Azure AD B2C receives the logout request, it uses a front-channel HTML iframe to send an HTTP request to the registered logout URL of each participating application that the user is currently signed in to.

    After logout, the user is redirected to the URI specified in the post_logout_redirect_uri parameter where you can specify the endpoint of your application which matches one of the application's configured redirect URIs before performing the redirect.

    Reference: https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy&WT.mc_id=AZ-MVP-5003445#single-sign-out

    Hope this will help you.

    Thanks,
    Shweta

    -----------------------------------

    Please remember to "Accept Answer" if answer helped you.