Hi @Frank ,
What are you using to revoke the sign-in sessions and invalidate the SSO?
Revoking the sessions clears the refresh token but doesn't expire the SSO cookies in the browser.
Using custom policies you need to implement the following:
https://github.com/azure-ad-b2c/samples/tree/master/policies/revoke-sso-sessions
To test the policy:
1) Use the SignUpOrSignIn policy to sign in or sign up.
2) Wait 10 seconds, then using Powershell to revoke the user's refresh token:
Revoke-AzureADUserAllRefreshToken -ObjectId <GUID>.
3) Launch the SignUpOrSignIn policy or the ProfileEdit policy (remove the prompt query parameter).
4) Ensure that &prompt=login is removed.
Also, if you used a B2C starter pack prior to 2022-08-09, then you should check your base and extension policies for the pre-requisites mentioned in this link:
https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack#09-august-2022
See also:
revokeSignInSessions
Let me know if this helps and if you have further questions.
-
If the information helped you, please Accept the answer. This will help us and other community members as well.