azure ad b2c ineffective log out mechanism

Kamran Bashir 11 Reputation points
2019-12-03T22:32:04.68+00:00

Lets suppose you are sign in and you have and controller account and view index
In steps...

  1. so when first time render https://abc.com/account/index, now you capture this request into fiddler.
    you get response http 200 and some data lets suppose "hello world"
  2. Next you call logout end point in your web app and its run following code mentioned below IEnumerable authTypes = HttpContext.GetOwinContext().Authentication.GetAuthenticationTypes();
    HttpContext.GetOwinContext().Authentication.SignOut(authTypes.Select(t => t.AuthenticationType).ToArray());
    Request.GetOwinContext().Authentication.GetAuthenticationTypes();

in fiddler it show it has called something
https://login.microsoftonline.com/common/oauth2/logout?.....

  1. close browser
  2. repeat step 1

again you get response http 200 and some data lets suppose "hello world" instead of http 401

that is very frustrated....

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,669 questions
1 vote

1 answer

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 55,206 Reputation points
    2019-12-05T06:56:22.783+00:00

    @Kamran Bashir Replaying request using fiddler is not the correct way to test. I tried the same for https://portal.azure.com/signin/index and getting 200 OK. I also tested after editing the request and removing tokens and cookies from the request and still receiving HTTP 200 response code. I would suggest you to test the logout experience via web browser and capture a fiddler to see if you are getting 401 rather than replaying the request via fiddler.

    --------------------------------------------------------------------------------------------------------------

    Please "mark as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.