How to force logout from azure ad b2c while the user logged out from federated identity?

Ajith Kumar 5 Reputation points
2023-01-31T13:50:30.1433333+00:00

Hi,

I have b2c policy, and in that policy I have added google (for example) as identity provider in my b2c. And I have made enough configurations to sign in to my application using my b2c as a google user. As of now everything works fine.

Lets assume I'm currently logged in to my app. which means while I clicked sign-in in my app it redirected to b2c and from there it redirected to google. so i signed in with google credentials and then returned to b2c and then from there to my app.

My problem is that, now I'm going to logout from google. which means I haven't logged out from b2c. which means I'm still able to access my app as a signed in user.

So my question is there any way to logged out from b2c immediately after we logged from google.?

It would be grateful if anyone could provide a solution for this.

Thanks.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,634 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akshay-MSFT 16,026 Reputation points Microsoft Employee
    2023-02-06T09:23:12.0866667+00:00

    Hello @Ajith Nair ,

    Thank you for posting your query on Microsoft Q&A.

    • When a user hits sign-out/logout within B2C application, it redirects the user to sign-out URI there by ending the session. However if logout/sign-out URI is not called the session would still be active and will be active until the access token is valid.
    • Once the access token reaches the threshold life (before expiry) refresh token would be used to get a new access token from external IDP (Google in this case).
    • There won't be any request response happening between the IDP and B2C until there is an event of token renewal or login is needed.
    • So once you logout of federated IDP (Google) it would won't be sending any response to your B2C resource as the application would still have a valid token.
    • As per Federated identity provider session

    If a user initially signs in with a federated account, and then during the session time window (time-to-live, or TTL) signs in to the same app or a different app, Azure AD B2C tries to acquire a new access token from the federated identity provider. If the federated identity provider session is expired or invalid, the federated identity provider prompts the user for their credentials. If the session is still active (or if the user has signed in with a local account instead of a federated account), Azure AD B2C authorizes the user and eliminates further prompts.

    • A social or enterprise identity provider manages its own session. Azure AD B2C doesn't control the federated identity provider session.
    • When a user tries to access a protected resource on the app, the app checks whether there is an active session on the application side. If there is no app session or the session has expired, the app will take the user to the Azure AD B2C sign-in page.

    A workaround this could be:

    • Set application session to rolling if its a cookie based application. This would force the user to re-authenticate after the time period specified.

    enable-keep-me-signed-in

    • Configure Access and ID token lifetimes (minutes) to 5 minutes, this would force the application to get session refreshed with there requesting the IDP. If user is signed out of IDP the session would not be renewed.

    Thanks,

    Akshay Kaushik

    0 comments