Azure B2C logs out but user can sign in without credentials again

Kunal Dhawan 5 Reputation points
2023-01-25T14:27:33.42+00:00

Hi Team,
Setup Overview
I am using B2C custom policies for sign-in flow in react application using msal-react and msal-browser packages. The user is able to log in properly for the first time after entering credentials. Now when the user clicks logout, B2C logout popup shows up and it goes away instantly without asking the user to choose an account which is expected because the user is signed in with only a single account. The user is redirected properly.
Doc followed - [https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/logout.md

Issue
After successful logout, which seems to be happening properly as UnAuthenticated template executes after login. When the user presses login again, it does not ask for any credentials, and user is signed in again which is a security issue. I am not sure what am I missing now. I have gone through all the MS docs multiple times and GitHub issues but did not find a solution
Flow:

  1. Before First login - SessionStorage and Cookies are empty,
  2. After login - SessionStorage has values and Cookies have 2 entries - x-ms-cpim-sso and x-ms-cpim-csrf
  3. After logout - Both are cleared with no values
  4. Click login again, values from step 2 come back in. But if you don't click login and try different app routes, it shows Unauthenticated template which has login button. So seems like user was correctly logged out

A few questions and helpful information

  1. Is azure ad B2C considered as social sign in (federated entity) or is it considered a local account like Azure AD
  2. I have read here that it does not assume logout from social IDP but I am not using anything other than B2C. In this GitHub, it also mentioned it is expected behaviour but how do I logout properly so that user is asked for credentials again. [https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/2547
  3. After pressing logout, if user is signed out from B2C as the app executes Unauthenticated template instead of Authenticated, how is it able to sign in again without any credentials.

Please guide me to solve this issue

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,662 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shweta Mathur 27,936 Reputation points Microsoft Employee
    2023-01-30T09:54:52.62+00:00

    Hi @Kunal Dhawan,

    Thanks for reaching out and apologies for delay in response.

    When you want to sign the user out of the application, it isn't enough to clear the application's cookies or end the session with the user.

    You must redirect the user to Azure AD B2C to sign out. Otherwise, the user might be able to re-authenticate to your applications without entering their credentials again.

    Reference: https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#sign-out

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

  2. Shweta Mathur 27,936 Reputation points Microsoft Employee
    2023-02-01T07:22:44.5166667+00:00

    Hi @Kunal Dhawan ,

    Your understanding is correct but when you log out of a B2C application by calling MSAL's logout() API, MSAL.js will clear browser storage of your user's tokens or clear the application's cookies which is not suffixed to sign the user out of the B2C application.

    To sign out the user, redirect the user to the end_session_endpointobtained from the open id metadata which will clear user's single sign-on state with B2C.

    GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/logout?post_logout_redirect_uri=https://www.jwt.ms

    If you are still facing issues, an idea would be to redirect using &prompt=loginin in your auth url will revoke your login request.

    1. Is azure ad B2C considered as social sign in (federated entity) or is it considered a local account like Azure AD. B2C is not considered as social sign in and if users are signing in B2C with local accounts, then user's session will be cleared if you are redirecting the user to end_session_endpoint.
    2. I have read here that it does not assume logout from social IDP but I am not using anything other than B2C. In this GitHub, it also mentioned it is expected behaviour but how do I logout properly so that user is asked for credentials again. [https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/2547 Answered above.
    3. After pressing logout, if user is signed out from B2C as the app executes Unauthenticated template instead of Authenticated, how is it able to sign in again without any credentials.
    4. Unfortunately calling the logout directly in B2C does not actually sign out but worked for Azure AD, because there a prompt for user to sign out which break single sign out process of B2C and user never get logout from B2C.

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" and "rate" your experience if the above answer helped. This will help us and others in the community as well.

  3. Anonymous
    2023-03-28T13:25:58.68+00:00

    We have the same exact issue, please let me know how can we fix this?

    Right now we force login by adding "prompt=login", but if you remove it then user gets logged in without any credentials.

    0 comments
  4. Anonymous
    2023-04-19T13:20:16.7266667+00:00

    For anyone who is reading this in future and have the same issue with MSAL React + B2C. We were able to fix this issue by enabling secure logout on our signup / signin custom policy.