Hello @Ajith Nair ,
Thank you for posting your query on Microsoft Q&A.
- When a user hits sign-out/logout within B2C application, it redirects the user to sign-out URI there by ending the session. However if logout/sign-out URI is not called the session would still be active and will be active until the access token is valid.
- Once the access token reaches the threshold life (before expiry) refresh token would be used to get a new access token from external IDP (Google in this case).
- There won't be any request response happening between the IDP and B2C until there is an event of token renewal or login is needed.
- So once you logout of federated IDP (Google) it would won't be sending any response to your B2C resource as the application would still have a valid token.
- As per Federated identity provider session
If a user initially signs in with a federated account, and then during the session time window (time-to-live, or TTL) signs in to the same app or a different app, Azure AD B2C tries to acquire a new access token from the federated identity provider. If the federated identity provider session is expired or invalid, the federated identity provider prompts the user for their credentials. If the session is still active (or if the user has signed in with a local account instead of a federated account), Azure AD B2C authorizes the user and eliminates further prompts.
- A social or enterprise identity provider manages its own session. Azure AD B2C doesn't control the federated identity provider session.
- When a user tries to access a protected resource on the app, the app checks whether there is an active session on the application side. If there is no app session or the session has expired, the app will take the user to the Azure AD B2C sign-in page.
A workaround this could be:
- Set application session to rolling if its a cookie based application. This would force the user to re-authenticate after the time period specified.
- Configure Access and ID token lifetimes (minutes) to 5 minutes, this would force the application to get session refreshed with there requesting the IDP. If user is signed out of IDP the session would not be renewed.
Thanks,
Akshay Kaushik