AAD B2C logout not clearing AAD session (specifically the claim bag)

Jason Lee 181 Reputation points
2023-03-30T22:26:46.9033333+00:00

Hi,

I'm running into a scenario where it appears that B2C is not signing terminating an AAD session when my frontend app calls the logout endpoint of my B2C sign in/up user flow. When the user signs in again after signing out, B2C logs show that that the new sign in is using the same correlation ID and the state bag has the same values. This leads to a weird behaviour where if the user changes their username/email, they can sign in with the old email if they immediately sign in again after signing out. Any ideas what could be wrong?

Here's details of our setup

  • We are using AAD B2C custom policies
  • Our frontend app is React (single page app) using MSAL React

Reproduction steps

  1. User signs in using a sign in/up custom policy flow
  2. User completes a change email custom policy flow
  3. User clicks the sign out button in our frontend app. This results in our frontend redirecting the user to ../b2c_1a_signup_or_signin_to_local_accounts/oauth2/v2.0/logout?post_logout_redirect_uri=....
  4. B2C redirects the user back to our React app. App is in unauthenticated state and redirects user to sign/up custom policy flow
  5. User somehow can signs in with their old email. User can also sign in with the new email as well.

What I've verified

  • Used MS Graph query to verify all AAD user object attributes containing email (that are documented anyway) are up to date
  • After changing email, if I open up a InPrivate/Cognito window (i.e. to avoid using same AAD cookie), I can only sign in with the new email as expected
  • I looked at the B2C logs in App Insights and noticed what I mentioned above: the sign in after changing the email is using the same correlation ID even though I've signed out. The claim bag appears to have the values from the earlier sign in.
  • If I leave the tab open after signing out for over an hour, signing behaves as expected (user can only sign in with new email) as logs show that it's signing in with a new correlation ID which means the session terminated as expected.

What I suspect is happening

  • I suspect that even though my frontend app redirected to the B2C logout endpoint, it did not terminate my session as expected. Thus because my login-noninteractive technical profile that performs the actual user validation is using a session manager (e.g. the Web.TPEngine.SSO.DefaultSSOSessionProvider named SM-AAD), that it's actually skipping this technical profile and restoring persisted claims in the session to the state bag.

Anyway, I think the root problem is that my session is not being terminated on signout as the correlation ID is not changing. What could I be doing wrong that's causing this session to not terminate on sign out? Or am I misunderstanding the signout behaviour?

Thanks in advance!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,473 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ayomide Oluwaga 946 Reputation points
    2023-03-30T22:49:03.45+00:00

    Hello @jason lee

    Welcome to the Q&A,

    I understand that the issue reported is that the AAD B2C logout endpoint is not terminating the session properly, leading to the claim bag retaining old values and allowing users to sign in with their old email even after changing it. I can also see that you have taken some important steps to troubleshoot the issue.

    To properly terminate a session in Azure AD B2C, you need to ensure that all the tokens associated with the user are invalidated or revoked, clear any cached tokens on the client-side, and clear any session cookies associated with the user session.

    Let me know if this helps or you have further questions

    Oluwaga Ay

  2. Ayomide Oluwaga 946 Reputation points
    2023-03-31T16:45:57.02+00:00

    Hey @Jason Lee

    Yeah, this is true. Azure AD B2C session cookies cannot be cleared programmatically from within the custom policies. The HTTP-only attribute prevents JavaScript or other client-side scripts from modifying or accessing the cookie.

    However, there are some options that you can consider to mitigate the issue. One option is to configure your application to use a shorter session timeout period. This way, even if the session cookie is not cleared, it will expire after a short period of time, reducing the window of opportunity for someone to use the cookie to access the user's session.

    Here are the steps for this:

    1. Sign in to the Azure portal and navigate to your Azure AD B2C tenant.
    2. Select the "Identity Experience Framework" blade.
    3. Select the policy you want to modify.
    4. Select the "TrustFrameworkExtensions.xml" file.
    5. Locate the "sessionTimeoutInSeconds" property in the file.
    6. Modify the value to the desired timeout period (in seconds).
    7. Save the file and publish the policy.

    Another option is to Use a different browser instance or browser profile for testing purposes. By using a different browser, you can ensure that any AAD session cookies associated with your test user are not retained when you close the browser instance.

    Please let me know if you need more information with this process.

  3. Mohammad Khalil 0 Reputation points
    2023-11-23T11:52:34.2766667+00:00

    Hi,

    AAD B2C logout clears the session cookie,

    To clear the session cookie, the logged-in account should be logged out from all sites opened in any instance of a browser. simple is that.

    0 comments