This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 47%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJR%3C/text%3E%3C/svg%3E)
Hello everyone! I'm trying to implement the single sign-out into a client-side applications (React JS + @azure/msal-react) and I'm facing with some issues.
Before, lets ilustrate. When the logout is performed the Azure AD B2C open an iframe and send a HTTP POST request into my application, and the application should invalidade the session.
The flow works fine into a server-side applications (your cookie SameSite should be None)
When one of my applications performs a logout, the Front-channel logout URL is called. However, in my client-side application, when the iframe tries to perform the logout or clear the user's cookies, it doesn't work because the iframe cannot access the domain cookies, which are blocked due to third-party cookie restrictions, keeping the user session active.
The problem still persists if the user navigates between routes or refreshes the page, because the session remains active in the cache manager.
I tried to implement a route, but it didn’t work.
WARNING: Skipping the server sign-out means the user's session will remain active on the server and can be signed back into your application without providing credentials again.
import React, { useEffect } from "react";
import { useMsal } from "@azure/msal-react";
import { BrowserUtils } from "@azure/msal-browser";
export function Logout() {
const { instance } = useMsal();
useEffect(() => {
instance.logoutRedirect({
account: instance.getActiveAccount(),
onRedirectNavigate: () => !BrowserUtils.isInIframe()
})
}, [ instance ]);
return (
<div>Logout</div>
)
}
The code above was found here
I tried adding an event callback expecting to receive a logout or account removal event. Apparently, it's only used for managing the current application between browser tabs.
msalInstance.addEventCallback((message: EventMessage) => {
if (message.eventType === EventType.ACCOUNT_ADDED) {
// Update UI with new account
} else if (message.eventType === EventType.ACCOUNT_REMOVED) {
// Update UI with account logged out
} else if (message.eventType === EventType.ACTIVE_ACCOUNT_CHANGED) {
const accountInfo = msalInstance.getActiveAccount();
// Update UI with new active account info
}
});
This didn’t work either :/
I tried modifying my custom policies to intercept the logout flow but without success.
Some info about my implementation:
If someone has solve the problem and can share the solution, I would be grateful ❤
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 77%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Hello @Juliano Roberto da Silva Biffi,
I understand the challenge you're facing with implementing single sign-out in your client-side application using Azure AD B2C.
logoutRedirect(): Instead of relying on the iframe, use the logoutRedirect() method to perform the logout. This avoids issues with third-party cookie restrictions and ensures proper session termination.sessionStorage or localStorage to track the user’s authentication state locally, especially in environments where cookies are blocked.postMessage or BroadcastChannel to notify other tabs or windows about the logout event, ensuring consistent session state across your applications.Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.
@Juliano Roberto da Silva Biffi, We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details and we will try to help.
Hi Rukmini!
Regarding your answer, I have some considerations:
Use logoutRedirect(): As I illustrated in my question, Azure AD B2C, which opens the iframe and makes the request, is not under my control. When the user requests logout in my server-side application (React JS), I call that method to perform the logout. My problem is creating a public React JS page so that, when Azure AD B2C sends an HTTP GET request, the logout is performed in my application as well.
The scenario is as follows:
Manage Session State Locally: I have defined the session in localStorage. When two tabs of my app are open and sign-out is performed, the other tabs lose the session as well. This is working.
My custom policies are correctly configured and sending the front-channel logout URLs to every application that the user is connected to.
postMessage or BroadcastChannel: They don't work because it is the Azure AD B2C domain that is open, so the messages are not delivered.
Inform users: It doesn't make sense to do that, as I will be offering SSO (Single Sign-On) that cannot perform a single sign-out.
@Juliano Roberto da Silva Biffi, I understand the issue, we will check internally and get back to you
Thanks for the support, Rukmini! I will wait for your answer. I've tried other things, but they haven't worked. No matter what I do, the session is still active. (It's worth mentioning that when the logout is performed on App 2, the session is correctly revoked on App 2 and App 1 as well, because App 1 uses a server-side integration. The main problem is when the logout are performed at App 1)