B2C - Cannot logout from IDP when two B2C tenants are involved.

Rajesh Naik 1 Reputation point
2021-09-27T05:25:25.117+00:00

Hello,

We have a special design of B2C tenants as shown below to support large number of customers,

135442-screenshot-2021-09-27-at-103959-am.png

With this design authentication flow works perfectly fine, where application requests for authentication with the frontend tenant, frontend forwards request to backend tenant and later backend to idp.

metadata url used for federating from frontend b2c tenant to backend b2c tenant: https://backendTenant.b2clogin.com/backendTenant.onmicrosoft.com/B2C_1A_signin/v2.0/.well-known/openid-configuration

We are facing an issue during a logout,

  1. where application sends the logout request to frontend tenant - https://frontendTenant.b2clogin.com/frontendTenant.onmicrosoft.com/B2C_1A_signin/oauth2/v2.0/logout?p=B2C_1A_signin&&post_logout_redirect_uri=http://localhost:5001
  2. Frontend sends logout request to backend tenant - https://backendTenant.b2clogin.com/backendTenant.onmicrosoft.com/b2c_1a_signin_group_1/oauth2/v2.0/logout
  3. Application post logout url called

If we observe here, the backend tenant logout request doesn't contain, post_logout_redirect_uri field hence backend b2c tenant is not making IDP logout request. Because of which IDP session is not getting cleared.

My questions,

  • How can we make frontend tenant to send same post_logout_redirect_uri field to backend logout request?
  • I tried setting explicit end_session_endpoint in the technical profile but how to capture the original logout request and extract the post_redirect_uri
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,757 questions
0 comments No comments
{count} votes