B2C - Cannot logout from IDP when two B2C tenants are involved.
Hello,
We have a special design of B2C tenants as shown below to support large number of customers,
With this design authentication flow works perfectly fine, where application requests for authentication with the frontend tenant, frontend forwards request to backend tenant and later backend to idp.
metadata url used for federating from frontend b2c tenant to backend b2c tenant: https://backendTenant.b2clogin.com/backendTenant.onmicrosoft.com/B2C_1A_signin/v2.0/.well-known/openid-configuration
We are facing an issue during a logout,
- where application sends the logout request to frontend tenant - https://frontendTenant.b2clogin.com/frontendTenant.onmicrosoft.com/B2C_1A_signin/oauth2/v2.0/logout?p=B2C_1A_signin&&post_logout_redirect_uri=http://localhost:5001
- Frontend sends logout request to backend tenant - https://backendTenant.b2clogin.com/backendTenant.onmicrosoft.com/b2c_1a_signin_group_1/oauth2/v2.0/logout
- Application post logout url called
If we observe here, the backend tenant logout request doesn't contain, post_logout_redirect_uri
field hence backend b2c tenant is not making IDP logout request. Because of which IDP session is not getting cleared.
My questions,
- How can we make frontend tenant to send same
post_logout_redirect_uri
field to backend logout request? - I tried setting explicit
end_session_endpoint
in the technical profile but how to capture the original logout request and extract thepost_redirect_uri