Azure API Management: Automatic Sign-In Issue After Signing Out

Question

Azure API Management: Automatic Sign-In Issue After Signing Out

hawthorne91 240

In Azure API Management, users are able to log in via Azure AD B2C. However, an issue occurs after they sign out and attempt to log in again. Upon being redirected to the sign-in page and pressing the Azure AD B2C button, users are automatically logged back in without having to re-enter their credentials. What is causing this behavior, and how can it be resolved?

Update: I've tried adding "&prompt=login" to my authorization endpoint in API Management but nothing has come of it. I was also reading the issue from this link (https://github.com/Azure/api-management-developer-portal/issues/1068) however the solutions there do not fit my architecture.

Anonymous

2025-01-29T09:17:25.6433333+00:00

Hello @hawthorne91 To resolve the automatic sign-in issue, ensure that ID Tokens are enabled in your Azure AD B2C app registration under "Implicit grant and hybrid flows." Additionally, enable "Require ID Token in logout requests", ensure the post_logout_redirect_uri matches one of the registered reply URLs, and clear cookies or use an incognito window to ensure the session is fully terminated before re-login.
hawthorne91 240 Reputation points

2025-01-29T16:14:17.1133333+00:00

Hi Rukmini, thank you for your reply!

For clarification, I would make the sign out button in my API Management service contain the permalink https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{user-flow}/oauth2/v2.0/logout?post_logout_redirect_uri=https://{custom-apim-portal-url} , correct? The post_logout_redirect_uri not only being the custom APIM portal url but also being a redirect URI in my app registration? Does it also need to be in the Front-channel logout URL?
Anonymous

2025-01-30T03:32:12.02+00:00

Hi @hawthorne91 Yes, the post_logout_redirect_uri in your API Management sign-out URL should be your custom portal URL, and it must also be registered as a valid redirect URI in your Azure AD B2C app registration. Additionally, it should also be configured as the Front-channel logout URL to ensure proper logout behavior across all apps.
hawthorne91 240 Reputation points

2025-01-30T14:30:33.07+00:00

Hi Rukmini,

Thanks for the response! Something else I want to ask - will enabling ID tokens (used for implicit and hybrid flows) under the Implicit grant and hybrid flows section of the app registration cause any downtime for my API Management user portal? Currently the portal is used by external users, and when I enabled Require ID Token in logout requests in my user flow (without enabling ID tokens) before it was pushed out to external users, it caused an issue with the developer portal. I was just curious as to if this would cause downtime, as I don't want my users experiencing any issues.
Anonymous

2025-01-31T03:54:59.6+00:00

Hello @hawthorne91 Enabling ID tokens in the "Implicit grant and hybrid flows" should not result in downtime for your API Management user portal. However, it could affect authentication behavior, so it's advised to test these changes in a staging environment beforehand. Make sure the logout URL, post-logout redirect, and front-channel logout URLs are properly configured to prevent issues during sign-in or sign-out. And did it resolve the issue?
hawthorne91 240 Reputation points

2025-01-31T16:27:37.05+00:00

Hi Rukmini,

So I enabled ID tokens in the Implicit grant and hybrid flows, and I've also placed the portal's main Front-channel logout URL to my home page for my API Management instance as well. The same link is also in the Single-page application Redirect URIs, as well as the post_logout_redirect_uri on the permalink for my API Management sign out button. The signouts sadly still do not work, however I still haven't enabled Require ID Token in logout requests under Session behavior in my user flow because when I had previously enabled this feature, trying to sign-out was causing issues. How should I proceed?

Also, I'm not sure if this is worth referencing but at the end of my custom domain, I have a slash"/" in all of the previously mentioned URL/URI values. I'm not sure if this is causing any issues, but I thought I'd mention it anyway.
Anonymous

2025-02-04T03:54:32.6133333+00:00

The trailing slash in your custom domain URLs could be causing the sign-out issue, as Azure AD B2C requires exact URL matching. Remove the trailing slash from all URLs in your app registration and sign-out configurations. Additionally, test enabling "Require ID Token in logout requests" in a staging environment to ensure proper session handling, and check for any caching issues by clearing cookies or using incognito mode.
Anonymous

2025-02-07T06:20:57.1166667+00:00

hawthorne91 We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet .In case if you have any resolution please do share that same with the community as it can be helpful to others . Otherwise, will respond back with the more details and we will try to help.

1 answer

Your answer

Anonymous

2025-01-29T09:17:25.6433333+00:00

Hello @hawthorne91 To resolve the automatic sign-in issue, ensure that ID Tokens are enabled in your Azure AD B2C app registration under "Implicit grant and hybrid flows." Additionally, enable "Require ID Token in logout requests", ensure the post_logout_redirect_uri matches one of the registered reply URLs, and clear cookies or use an incognito window to ensure the session is fully terminated before re-login.
hawthorne91 240 Reputation points

2025-01-29T16:14:17.1133333+00:00

Hi Rukmini, thank you for your reply!

For clarification, I would make the sign out button in my API Management service contain the permalink https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{user-flow}/oauth2/v2.0/logout?post_logout_redirect_uri=https://{custom-apim-portal-url} , correct? The post_logout_redirect_uri not only being the custom APIM portal url but also being a redirect URI in my app registration? Does it also need to be in the Front-channel logout URL?
Anonymous

2025-01-30T03:32:12.02+00:00

Hi @hawthorne91 Yes, the post_logout_redirect_uri in your API Management sign-out URL should be your custom portal URL, and it must also be registered as a valid redirect URI in your Azure AD B2C app registration. Additionally, it should also be configured as the Front-channel logout URL to ensure proper logout behavior across all apps.
hawthorne91 240 Reputation points

2025-01-30T14:30:33.07+00:00

Hi Rukmini,

Thanks for the response! Something else I want to ask - will enabling ID tokens (used for implicit and hybrid flows) under the Implicit grant and hybrid flows section of the app registration cause any downtime for my API Management user portal? Currently the portal is used by external users, and when I enabled Require ID Token in logout requests in my user flow (without enabling ID tokens) before it was pushed out to external users, it caused an issue with the developer portal. I was just curious as to if this would cause downtime, as I don't want my users experiencing any issues.
Anonymous

2025-01-31T03:54:59.6+00:00

Hello @hawthorne91 Enabling ID tokens in the "Implicit grant and hybrid flows" should not result in downtime for your API Management user portal. However, it could affect authentication behavior, so it's advised to test these changes in a staging environment beforehand. Make sure the logout URL, post-logout redirect, and front-channel logout URLs are properly configured to prevent issues during sign-in or sign-out. And did it resolve the issue?
hawthorne91 240 Reputation points

2025-01-31T16:27:37.05+00:00

Hi Rukmini,

So I enabled ID tokens in the Implicit grant and hybrid flows, and I've also placed the portal's main Front-channel logout URL to my home page for my API Management instance as well. The same link is also in the Single-page application Redirect URIs, as well as the post_logout_redirect_uri on the permalink for my API Management sign out button. The signouts sadly still do not work, however I still haven't enabled Require ID Token in logout requests under Session behavior in my user flow because when I had previously enabled this feature, trying to sign-out was causing issues. How should I proceed?

Also, I'm not sure if this is worth referencing but at the end of my custom domain, I have a slash"/" in all of the previously mentioned URL/URI values. I'm not sure if this is causing any issues, but I thought I'd mention it anyway.
Anonymous

2025-02-04T03:54:32.6133333+00:00

The trailing slash in your custom domain URLs could be causing the sign-out issue, as Azure AD B2C requires exact URL matching. Remove the trailing slash from all URLs in your app registration and sign-out configurations. Additionally, test enabling "Require ID Token in logout requests" in a staging environment to ensure proper session handling, and check for any caching issues by clearing cookies or using incognito mode.
Anonymous

2025-02-07T06:20:57.1166667+00:00

hawthorne91 We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet .In case if you have any resolution please do share that same with the community as it can be helpful to others . Otherwise, will respond back with the more details and we will try to help.

Answer 1

Anonymous

Hello @hawthorne91,

We understand that you are facing an issue with Azure AD B2C sign in. Users are able to login back automatically after initial login without having to re-enter their credentials.

After reviewing the situation, I would like to suggest a few troubleshooting steps to help resolve the issue:

Ensure that session behavior is correctly configured in the settings in Azure AD B2C tenant. To adjust the settings, you need to sign in to the Azure portal.

If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Azure AD B2C tenant from the Directories + subscriptions menu.

Choose All services in the top-left corner of the Azure portal and then search for and select Azure AD B2C.

Select User flows (policies).

Open the user flow that you previously created.

Select Properties.

Under Session behavior, you can see Enable keep me signed in session. When you enable the feature, users can opt to stay signed in, so the session remains active after they close the browser. You can disable the option and check the behavior.

Also, make sure that the cookies are cleared upon signing out.

Kindly refer the document for more detailed information: https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-user-flow#configure-kmsi-for-a-user-flow

Hope this helps. Do let us know if you any further queries.

Thanks & Best Regards,

Janaki Kota

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

hawthorne91 240 Reputation points

2025-01-21T13:47:18.4633333+00:00

Hello @Anonymous thank you for your reply!

The "Enable keep me signed in session" checkbox is not enabled. When I close out of the browser that I am logged into, I am forced to reauthenticate when I load the website back up. The main issue is that when I sign out and press the sign in button again in the API Management developer portal, it automatically signs me back in.

As for confirming that the cookies are cleared upon signing out, it appears that the cookies stay in browser when I sign out. Would you know how to fix this issue? I have tried clearing out cookies previously however many of the resources that I find are for self-hosted portals, rather than APIM's built-in portal.
hawthorne91 240 Reputation points

2025-01-22T17:03:12.8033333+00:00

Hello @Anonymous have there been any updates on this issue? Thank you for your assistance in advance.
Anonymous

2025-01-22T18:14:36.7366667+00:00

Hello hawthorne91,

Sometimes, clearing the application cookies isn't enough. You must redirect the user to Azure AD B2C to sign out. Please ensure that the application Logout URL is correctly configured along with the requirement of an ID Token in logout requests.

Kindly refer the document for detailed steps: https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-user-flow#sign-out

Please don't hesitate to reach out if you have any queries further.

Best Regards

Janaki Kota
hawthorne91 240 Reputation points

2025-01-22T20:32:52.9566667+00:00

Hi @Anonymous

Thank you for the instructions! In my APIM portal, I've set the permalink for the sign out button to https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{user-flow}/oauth2/v2.0/logout?post_logout_redirect_uri=https://{custom-apim-portal-url} with the custom apim portal url being the home page of the developer portal. In my B2C registration, I've also set the "Front-channel logout URL" to the same value that is in the post_logout_redirect_uri.

Something that I did notice though is that for my B2C registration, under "Implicit grant and hybrid flows" I do not have ID tokens or access tokens checked. Would I need to check "ID tokens (used for implict and hybrid flows)"? For reference, when I deploy the portal now with the setting checked to "Require ID Token in logout requests" in my user flow I receive an error.
hawthorne91 240 Reputation points

2025-01-24T16:44:56.3733333+00:00

Hi @Anonymous

I created a separate developer tier API Management instance, and I've followed this link (https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-aad-b2c) to add the B2C logins, and when I sign out it actually logs the user out and this issue does not occur, at least from the limited amount of testing that I've done. The issue does appear, however, in our standard tier portal.

What should I try troubleshooting to find this issue? For reference, we're also using a custom domain for the developer portal for the standard tier APIM endpoint, could this be causing issues?
Anonymous

2025-01-24T17:33:50.4133333+00:00

Hello hawthorne91,

Thanks for the update.

We are checking this internally. We will provide an update at the earliest.

Best Regards,

Janaki Kota
hawthorne91 240 Reputation points

2025-01-24T17:52:35.1233333+00:00

Hi @Anonymous

Thank you for the update! I'll be looking forward to your response.
Anonymous

2025-01-27T16:53:39.46+00:00

Hello hawthorne91,

Upon further troubleshooting we see that if a valid id_token_hint is passed and the Require ID Token in logout requests is turned on, Azure AD B2C verifies that the value of post_logout_redirect_uri matches one of the application's configured redirects URIs before performing the redirect. If no matching reply URL was configured for the application, an error message is displayed, and the user isn't redirected.

Could you please check if Enforce SSO logout validation is enabled.

Also, could you share the error screen shot you are experiencing when you enable "Require ID Token in logout requests" to investigate the issue further?

Thanks & Best Regards

Janaki Kota
hawthorne91 240 Reputation points

2025-01-28T15:21:36.61+00:00

Hi @Anonymous

Thank you for the prompt response, I really appreciate you sticking with me throughout this entire issue!

I have confirmed that Enforce SSO logout validation is set to "No". Of course, as you already know, Require ID Token in logout requests is also set to "No".

My apologies but I cannot currently edit the portal as it is currently being used by external users. The error from what I recall is that the id token wasn't included in the sign out request. It would occur when pressing the sign out button in my API Management instance, and it would be displayed by B2C, saying "Sorry but we're having trouble signing you out" or something along those lines. Please let me know if you need any information.
Anonymous

2025-01-30T21:29:55.8966667+00:00

Hi @Janaki Kota , from my understanding of the issue, this seems like expected behavior from SSO. When SSO is enabled, users are able to sign in once and then access multiple applications without having to sign in again.

In your case, it seems that the SSO session is still active even after the user has signed out. This can happen if the session has not yet expired or if the user's browser is still storing the session cookie.

Can you please test this theory and clear your cookies after signing out, and then try to sign back in again?

Thank you,

James
hawthorne91 240 Reputation points

2025-01-30T21:56:03.1933333+00:00

Hi James Hamil,

Your theory was correct! When I signed out and cleared out the cookies, I remained logged out and had to reauthenticate. What does this mean though? In my user flow, I have "Enforce SSO logout validation" set to "No". Is there another setting I should be looking at? Thank you in advance.

Share via

Azure API Management: Automatic Sign-In Issue After Signing Out

1 answer

Your answer