Azure B2C Logout - Blazor

Question

Hi Folks,

I've build a Blazor server app and I'm using the Azure b2c which I build using the wizard.

I don't have a login page and I only use the Google as oauth provider. I just have the default blanket redirect which is fine for me.

builder.Services.AddAuthorization(options =>
{
    // By default, all incoming requests will be authorized according to the default policy
    options.FallbackPolicy = options.DefaultPolicy;
});

One issue is that I'm facing is that when I'm opening the app it doesn't prompt me asking which account I want to use. I know I'm already signed into my google account as whole but when opening my app I would like the app to prompt for "choosing the account". When I run the same userflow on the portal it does prompt me. The same just doesn't happen for my app. How can I make sure that the app always asks to select the account? I read some articles which said to add "prompt" keyword but I don't know where to add that as I'm not calling any custom url.

Another issue I'm facing is that the log-out doesn't work as expected. In my app logout sequence is same as the default which redirects user to MicrosoftIdentity/Account/SignIn link.

<AuthorizeView>
    <Authorized>
        Hello, @context.User.Identity?.Name!
        <a href="MicrosoftIdentity/Account/SignOut">Log out</a>
    </Authorized>
    <NotAuthorized>
        <a href="MicrosoftIdentity/Account/SignIn">Log in</a>
    </NotAuthorized>
</AuthorizeView>

Once I click the logout button; I does something and then redirects me to this page.

However once I click the back button, the app opens as normal with the user still signed in. I expected the app to prompt for login at-least this time.

Can you please help me with the right approach for the implementing this. I prefer to avoid advance things like custom user flows. Perhaps some settings in appsettings.json can do the trick?

Thanks a lot.

Answer 1

Hi @SandeepG ,

Thanks for reaching out.

The AddMicrosoftIdentityWebAppAuthentication method in the Microsoft identity platform API allow developers to add code for advanced authentication scenarios.

prompt=select_account parameter will force the user to select the account they want to use even if they are already signed in with a Google account.

To add this parameter in your URL, you need to modify the OpenIdConnectOptions in your Startup.cs file.

services.Configure<OpenIdConnectOptions>(options =>
{
    options.Events.OnRedirectToIdentityProvider = context =>
    {
        context.ProtocolMessage.SetParameter("prompt", "select_account");
        return Task.FromResult(0);
    };
});

This code adds an event handler for the OnRedirectToIdentityProvider event, which is triggered when the user needs to be redirected to the Google Account.

Reference: https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/active-directory-b2c/enable-authentication-web-application-options.md#support-advanced-scenarios

For logout, you can clear authentication cookies from the current session and delete the current user's tokens from the token store by sending a GET request to the https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/logout endpoint.

and to change the post-sign-out-redirect page by adding /logout?post_logout_redirect_uri=/index.html

Reference: https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#sign-out

Hope this will help.

Thanks,

Shweta

Please remember to "Accept Answer" if answer helped you.

Answer 2

instead of this:

<a href="MicrosoftIdentity/Account/SignOut"><h4>Log Off</a>

I use this:

@inject NavigationManager navigationManager

<a href="#" @onclick="@(() => logoff())" @onclick:preventDefault>Log Off`

string logofflink = "https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri=" + navigationManager.Uri + "MicrosoftIdentity/Account/SignOut"; 

public void mylogoff()
{
   navigationManager.NavigateTo(logofflink, true);
}