Azure B2C: User not logged out after logoutURI

Question

Azure B2C: User not logged out after logoutURI

Hannes Dendoncker 20

Hi,

I've configured a B2C tenant and built a .NET MVC app to use it as a login. Now, I'm trying add an option for the user to sign out, so a different account can be selected. Signing out of the app is easy, I just do

await HttpContext.SignOutAsync("Cookies");
await HttpContext.SignOutAsync("OpenIDConnect");

but the issue is, when I log back in, I never get prompted to select an account, it defaults to the previous account, that still logged in with the B2C tenant. So next step, also log out of the B2C when the logout is called. I tried to do this by calling

logoutUrl = $"{azureAdB2COptions["Instance"]}{azureAdB2COptions["Domain"]}/b2c_1a_signup_signin/oauth2/v2.0/logout?" + $"post_logout_redirect_uri={Uri.EscapeDataString("https://localhost:7043/")}";

This runs fine, no errors, but the issue I had still persists! The user never gets logged out! This conflicts with all the information I find online. Any idea what causes this, the user is never logged out of the B2C tenant, or is instantly logged back in. I added this in my Program.cs

options.Prompt = "select_account";

but no luck. Any help is appreciated. Thank you.

FrankEscarosBuechsel-MSFT 900 Reputation points Microsoft Employee Moderator

2024-11-29T13:46:57.71+00:00

Hi @Hannes Dendoncker • Thank you for reaching out.

It seems you are calling the logout URL and on a success this still is not providing a login prompt on another call to the login method.

Can you please share how the session behaviour on the B2C tenant is configured? You can find this by using the following Learn article: Configure session behavior in Azure Active Directory B2C. I am mostly interested in the Single sign-on configuration option which you have chosen.

I have found some instances in which an "Application" configuration exhibited the same behaviour you are describing while a "Tenant" configuration did not. From the specific if you wanted to use "Application" you will need to send the appropriate client ID as well, this is not per se a mandatory parameter per the spec, however it is mandatory when you are using "Application" isolation in the SSO configuration, and I cannot see the parameter added to your logout URL in the code above.

You can read more on this here: Send a sign-out request
Hannes Dendoncker 20 Reputation points

2024-12-02T15:58:48.3133333+00:00

Hi @FrankEscarosBuechsel-MSFT , thank you very much for your reply. I'm using a custom policy, and I think I'm just using the default settings. Is there an extract out of the configuration files I can share with you?
Hannes Dendoncker 20 Reputation points

2024-12-02T16:04:35.6433333+00:00

I have experimented with setting a very short timeout, but no luck so far.

EDIT: I tried completely disabling SSO using this, but the issues still persists, even in incognito tabs
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/>
FrankEscarosBuechsel-MSFT 900 Reputation points Microsoft Employee Moderator

2024-12-03T16:47:37.6233333+00:00

Hi @Hannes Dendoncker,

The setting I am referring to is directly managed in the B2C tenant user flow configuration, I'll attach a screenshot below.

You can navigate to this by switching to your B2C Directory in the Azure portal via this link: Switch Directory. You can then use the search bar to navigate to the Azure AD B2C service. From there you can navigate through the Policies onto the User Flows blade and select the particular user flow that you are using within your app. From there you want to go onto the Properties blade and collapse the first few sections until you can see the Session behaviour section as below. I'd be interested what is selected there for your particular user flow configuration, I am assuming Application for the SSO configuration right now which leads to the behaviour you are describing when no clientID property is sent in the logout URL.

You can either try changing this to Tenant which is one way of resolving the problem you are seeing or you can append the clientID to your logout URL as described in the Learn article here: Send a sign-out request.
Hannes Dendoncker 20 Reputation points

2024-12-04T15:11:22.2433333+00:00

Hi @FrankEscarosBuechsel-MSFT , thank you very much for answering. The issue is, since I'm using a custom policy, this user flow is not listed under 'user flows'.

The custom flow is listed under "Identity Framework Experience" and does not have the same configuration menu when clicked.

Now, when clicking on such a custom policy I cannot see the same configuration menu as with a regular user flow. What I can do is configure the same settings using xml in the custom policy file. I have tried disabling SSO using default "SM-Noop" session management technical profile. I have tried setting it to Tenant, I have tried setting it to Application and sending the clientID as a parameter in my logout URI. None have worked. I feel like I've exhausted my options but it's still not functional. I would greatly appreciate any advice. Thank you very much.
Hannes Dendoncker 20 Reputation points

2024-12-04T15:15:58.3266667+00:00

Would you like me to send you my TrustFrameworkExtensions.xml file? That way you can see my full configuration.
FrankEscarosBuechsel-MSFT 900 Reputation points Microsoft Employee Moderator

2024-12-04T15:32:28.4633333+00:00

Hi @Hannes Dendoncker,

That would be good indeed, can you please send it to AzCommunity@microsoft.com with the subject "Attn: Frank EB" and a reference to this Q&A thread in the body to make it easier to find? Can I also ask you to collect a browser trace of the logout flow and send that to the email as well, please do not share the trace here as it contains sensitive data.

Capture a browser trace for troubleshooting

1 answer

Your answer

FrankEscarosBuechsel-MSFT 900 Reputation points Microsoft Employee Moderator

2024-11-29T13:46:57.71+00:00

Hi @Hannes Dendoncker • Thank you for reaching out.

It seems you are calling the logout URL and on a success this still is not providing a login prompt on another call to the login method.

Can you please share how the session behaviour on the B2C tenant is configured? You can find this by using the following Learn article: Configure session behavior in Azure Active Directory B2C. I am mostly interested in the Single sign-on configuration option which you have chosen.

I have found some instances in which an "Application" configuration exhibited the same behaviour you are describing while a "Tenant" configuration did not. From the specific if you wanted to use "Application" you will need to send the appropriate client ID as well, this is not per se a mandatory parameter per the spec, however it is mandatory when you are using "Application" isolation in the SSO configuration, and I cannot see the parameter added to your logout URL in the code above.

You can read more on this here: Send a sign-out request
Hannes Dendoncker 20 Reputation points

2024-12-02T15:58:48.3133333+00:00

Hi @FrankEscarosBuechsel-MSFT , thank you very much for your reply. I'm using a custom policy, and I think I'm just using the default settings. Is there an extract out of the configuration files I can share with you?
Hannes Dendoncker 20 Reputation points

2024-12-02T16:04:35.6433333+00:00

I have experimented with setting a very short timeout, but no luck so far.

EDIT: I tried completely disabling SSO using this, but the issues still persists, even in incognito tabs
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/>
FrankEscarosBuechsel-MSFT 900 Reputation points Microsoft Employee Moderator

2024-12-03T16:47:37.6233333+00:00

Hi @Hannes Dendoncker,

The setting I am referring to is directly managed in the B2C tenant user flow configuration, I'll attach a screenshot below.

You can navigate to this by switching to your B2C Directory in the Azure portal via this link: Switch Directory. You can then use the search bar to navigate to the Azure AD B2C service. From there you can navigate through the Policies onto the User Flows blade and select the particular user flow that you are using within your app. From there you want to go onto the Properties blade and collapse the first few sections until you can see the Session behaviour section as below. I'd be interested what is selected there for your particular user flow configuration, I am assuming Application for the SSO configuration right now which leads to the behaviour you are describing when no clientID property is sent in the logout URL.

You can either try changing this to Tenant which is one way of resolving the problem you are seeing or you can append the clientID to your logout URL as described in the Learn article here: Send a sign-out request.
Hannes Dendoncker 20 Reputation points

2024-12-04T15:11:22.2433333+00:00

Hi @FrankEscarosBuechsel-MSFT , thank you very much for answering. The issue is, since I'm using a custom policy, this user flow is not listed under 'user flows'.

The custom flow is listed under "Identity Framework Experience" and does not have the same configuration menu when clicked.

Now, when clicking on such a custom policy I cannot see the same configuration menu as with a regular user flow. What I can do is configure the same settings using xml in the custom policy file. I have tried disabling SSO using default "SM-Noop" session management technical profile. I have tried setting it to Tenant, I have tried setting it to Application and sending the clientID as a parameter in my logout URI. None have worked. I feel like I've exhausted my options but it's still not functional. I would greatly appreciate any advice. Thank you very much.
Hannes Dendoncker 20 Reputation points

2024-12-04T15:15:58.3266667+00:00

Would you like me to send you my TrustFrameworkExtensions.xml file? That way you can see my full configuration.
FrankEscarosBuechsel-MSFT 900 Reputation points Microsoft Employee Moderator

2024-12-04T15:32:28.4633333+00:00

Hi @Hannes Dendoncker,

That would be good indeed, can you please send it to AzCommunity@microsoft.com with the subject "Attn: Frank EB" and a reference to this Q&A thread in the body to make it easier to find? Can I also ask you to collect a browser trace of the logout flow and send that to the email as well, please do not share the trace here as it contains sensitive data.

Capture a browser trace for troubleshooting

Answer 1

Shweta Mathur 30,296 Microsoft Employee Moderator

Hi @Hannes Dendoncker

Thank you for your patience.

end_session_endpoint is used by the app to go to the logout page of B2C.

Did you try to send a sign-out request directly:

GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/logout?post_logout_redirect_uri=https%3A%2F%2Fjwt.ms%2F

Also, as FrankEscarosBuechsel-MSFT mentioned, you need to configure session behavior in your custom policy.

Could you please verify that KMSI(Keep me Signed In) is not enable in your application.

<ClaimsProvider>
  <DisplayName>Local Account</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="SelfAsserted-LocalAccountSignin-Email">
      <Metadata>
        <Item Key="setting.enableRememberMe">False</Item>      
     </Metadata>     
</TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

Also, while configuring the web app session timeout in your custom policy, configure it as :

Absolute - Indicates that the user is forced to reauthenticate after the time period specified.

<UserJourneyBehaviors>
  <SingleSignOn Scope="Application" />
  <SessionExpiryType>Absolute</SessionExpiryType>
  <SessionExpiryInSeconds>86400</SessionExpiryInSeconds>
</UserJourneyBehaviors>

Hope this will help to validate the configuration at your end. If you are still facing issues, an idea would be to redirect using &prompt=login in your auth url will revoke your login request.

Hope this will help.

Thanks,

Shweta

Hannes Dendoncker 20 Reputation points

2024-12-05T14:57:18.5466667+00:00
Hello @Shweta Mathur . I would once again like to thank you for taking the time to help me out. When I visited the link I suggested, this is the page I get:

I've implemented your suggestion, adding <Item Key="setting.enableRememberMe">False</Item>, but I still get prompted if I want to stay signed in so I suspect the settings are somehow not applied?

This is the entire ClaimsProviders extract out of my TrustFrameworkExtensions.xml, maybe you see an obvious mistake here, but I've went over it a million times and I'm not sure.

(code does not seem to load within a code block, so here is the code in plaintext)

<ClaimsProviders>

<ClaimsProvider> <Domain>commonaad</Domain> <DisplayName>Common AAD</DisplayName> <TechnicalProfiles> <TechnicalProfile Id="AADCommon-OpenIdConnect"> <DisplayName>Multi-Tenant AAD</DisplayName> <Description>Login with your Contoso account</Description> <Protocol Name="OpenIdConnect"/> <Metadata> <Item Key="METADATA">https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration</Item> <Item Key="client_id">Removed before posting online, but working correctly</Item>

<Item Key="response_types">code</Item> <Item Key="scope">openid profile email</Item> <Item Key="response_mode">form_post</Item> <Item Key="HttpBinding">POST</Item> <Item Key="UsePolicyInRedirectUri">false</Item> <Item Key="DiscoverMetadataByTokenIssuer">true</Item> <Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/</Item> <Item Key="setting.enableRememberMe">False</Item> <Item Key="SingleSignOn">Tenant</Item> </Metadata> <CryptographicKeys> <Key Id="client_secret" StorageReferenceId="B2C_1A_AADAppSecret"/> </CryptographicKeys> <OutputClaims> <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid"/> <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" /> <OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" /> <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" /> <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" /> <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" /> <OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" /> </OutputClaims> <OutputClaimsTransformations> <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/> <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/> <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/> <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/> </OutputClaimsTransformations> <UseTechnicalProfileForSessionManagement ReferenceId="AADCommon-OpenIdConnect"/> </TechnicalProfile> </TechnicalProfiles> </ClaimsProvider> </ClaimsProviders> Code stops here

I've tried setting <Item Key="SingleSignOn">Application</Item> to values 'Application', Tenant' and 'None', but there was no notable impact. I'm sure I've uploaded the file correctly, because when I download it again from the Identity Experience Framework management page I see my changes. I'm looking forward to your reply, thank you!
Hannes Dendoncker 20 Reputation points

2024-12-05T14:58:18.84+00:00

I never see my first comment appear before I comment a second time, not sure this is a visual bug or my previous comment did not get posted. So I'm posting this one to be sure..
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2024-12-12T05:34:31.2933333+00:00

@Hannes Dendoncker Just following up to confirm that my colleague has requested additional information via private message to assist with the support options for this issue. If you have any updates or need further assistance, please don't hesitate to post back.

Share via

Azure B2C: User not logged out after logoutURI

1 answer

Your answer