25,211 questions
Azure B2C - user can still visit website after logging out
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 9%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBF%3C/text%3E%3C/svg%3E)
Brendan Finnegan
51
Reputation points
Hello everyone,
I am having problems with my azure b2c logout methods. I am using a .NET 4.8 C# MVC app connected to azure b2c. Our app uses openidconnect and cookie authentication. The login works great, and I am using local Entra accounts for this test.
When a user clicks Log out, the method clears the OwinContext, expires the cookie from b2c, the ASP.net session cookie. It then makes a call to the B2C logout method and redirects to a different website.
My problem is that if a user click the "back" button on their browser, or opens a new tab and visits the website again, they are authenticated. The Request/Response objects show that the Session is cleared but somehow their identity is still present on the second call and the cookies look identical to the start.
Can anyone point me in the right direction? Thanks!
Here is a photo showing the cleared User Identity (right before the redirect) and in the LogOff method.
Here is a photo showing the User Identity and their claims (right after the redirect). This method is the Index method where the Claim is still there
Here is my Redirect URL and relevant code below
https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{flow}/oauth2/v2.0/logout?post_logout_redirect_uri={redirectURI}
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
// ASP.NET web host compatible cookie manager
CookieManager = new SystemWebChunkingCookieManager(),
CookieName = "MyPortal.AuthCookie",
CookieSameSite = Microsoft.Owin.SameSiteMode.Lax,
CookieSecure = CookieSecureOption.Always,
CookieHttpOnly = true,
CookiePath = Globals.ApplicationRelativePath
});
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
// Generate the metadata address using the tenant and policy information
MetadataAddress = String.Format(Globals.WellKnownMetadata, Globals.TenantId, Globals.DefaultPolicy),
// These are standard OpenID Connect parameters, with values pulled from web.config
ClientId = Globals.ClientId,
RedirectUri = Globals.RedirectUri,
PostLogoutRedirectUri = Globals.PostLogoutRedirectUri,
UseTokenLifetime = true,
// Add the ProtocolValidator property here
// Specify the callbacks for each type of notifications
Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = OnRedirectToIdentityProvider,
AuthenticationFailed = OnAuthenticationFailed,
SecurityTokenValidated = OnSecurityTokenValidated
},
// Specify the claim type that specifies the Name property.
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
RoleClaimType = "extension_Role",
ValidateIssuer = false
},
// Specify the scope by appending all of the scopes requested into one string (separated by a blank space)
Scope = $"openid profile offline_access {Globals.ReadTasksScope} {Globals.WriteTasksScope}",
// ASP.NET web host compatible cookie manager
CookieManager = new SystemWebCookieManager(),
}
);
}
public ActionResult LogOff()
{
//Log out through OWIN
IEnumerable<AuthenticationDescription> authTypes = HttpContext.GetOwinContext().Authentication.GetAuthenticationTypes();
HttpContext.GetOwinContext().Authentication.SignOut(authTypes.Select(t => t.AuthenticationType).ToArray());
Request.GetOwinContext().Authentication.GetAuthenticationTypes();
HttpContext.User = new GenericPrincipal(new GenericIdentity(string.Empty), null);
Session.Clear();
Session.Abandon();
//Expire cookie
if (Request.Cookies["MyPortal.AuthCookie"] != null)
{
HttpCookie authCookie = new HttpCookie("HomeOwnerPortal.AuthCookie");
authCookie.Expires = DateTime.Now.AddDays(-1d);
Response.Cookies.Add(authCookie);
}
try
{
AccountManager accountManager = new AccountManager();
accountManager.LogOff();
var RequestUri = new System.Uri(Globals.AadLogoutUrl);
return Redirect(RequestUri.ToString());
}
catch
{
throw;
}
}
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes
-
Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator2024-06-13T07:59:50.98+00:00 I am currently reviewing this post, will get back to you with further inputs.
Thanks,
Akshay Kaushik
-
Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator
2024-06-13T08:15:04.0333333+00:00 Kindly share the following details for me to validate the configuration:
- Full Screenshot of you application registration > Authentication.
- If identity provider is OpenID the kindly share the well known open ID URI, or metadata incase of SAML or Oauth2.
- Please do share signout custom policy chunk as well
Thanks,
Akshay Kaushik
-
Brendan Finnegan 51 Reputation points
2024-06-13T15:25:56.9633333+00:00 @Akshay-MSFT thanks for the response! I'm doing this for the first time so I'm trying to figure out if my session is getting recreated through b2c, or
Our metadata is
https://{CustomB2cLoginURL}/tfp/{tenantID}/B2C_1_Signin/v2.0/.well-known/openid-configuration
Visiting that URL provides this JSON
{
"issuer": "https://{CustomB2CLoginURL}/{TenantID}/v2.0/",
"authorization_endpoint": "https://{CustomB2CLoginURL}/{TenantID}/b2c_1_signin/oauth2/v2.0/authorize",
"token_endpoint": "https://{CustomB2CLoginURL}/{TenantID}/b2c_1_signin/oauth2/v2.0/token",
"end_session_endpoint": "https://{CustomB2CLoginURL}/{TenantID}/b2c_1_signin/oauth2/v2.0/logout",
"jwks_uri": "https://{CustomB2CLoginURL}/{TenantID}/b2c_1_signin/discovery/v2.0/keys",
"response_modes_supported": [
"query", "fragment", "form_post"],
"response_types_supported": [
"code", "code id_token", "code token", "code id_token token", "id_token", "id_token token", "token", "token id_token"],
"scopes_supported": [
"openid"],
"subject_types_supported": [
"pairwise"],
"id_token_signing_alg_values_supported": [
"RS256"],
"token_endpoint_auth_methods_supported": [
"client_secret_post", "client_secret_basic"],
"claims_supported": [
"extension_Email", "idp", "idp_access_token", "oid", "sub", "emails", "tfp", "isForgotPassword", "iss", "iat", "exp", "aud", "acr", "nonce", "auth_time"]
}
The Logout URL is the method above where it clears my session data for the user
Lastly, here is the cookies. This is a screenshot from when I logout, and then go back and visit the same URL in the same browser. (I am using Edge).
The same behavior happens if I logout, keep my browser open, open a new edge browser, and visit the same page. The HomeownerPortal.AuthCookie is what I set in my code
-
Brendan Finnegan 51 Reputation points
2024-06-13T19:46:08.2+00:00 @Akshay-MSFT I've been looking at this today again and I found something interesting. The code works okay if I test this on my local host.
But as soon as I deploy it to IIS and try through the IIS hosted website, the issue remains. Is there something related to IIS/ASP.Net that would cause the cookies to be saved even though I'm clearing them in the code and calling Session.Abandon()?
-
Brendan Finnegan 51 Reputation points
2024-06-14T14:53:56.1466667+00:00 The only solution I've found so far is to add this block of code to my MVC app. The existingUser.Identity.Name is NULL instead of "".
This causes my Request.IsAuthenticated everywhere to be set to true. In the start of the session I check the user and null them if they arent empty. This has caused the user to be redirected back to the sign in page after clicking the back button or opening a new browser.
It is still feels hacky so I am looking for another solution.
protected void Session_start() { // starting a session and already authenticated means we have an old cookie var existingUser = System.Web.HttpContext.Current.User; if (existingUser != null && existingUser.Identity.Name != "") { // clear any existing cookies IAuthenticationManager authMgr = System.Web.HttpContext.Current.GetOwinContext().Authentication; authMgr.SignOut(CookieAuthenticationDefaults.AuthenticationType); //manually clear user from HttpContext so Authorize attr works HttpContext.Current.User = new ClaimsPrincipal(new ClaimsIdentity()); } }
Sign in to comment
Sign in to answer