Azure AD - openid connect post_logout_redirect_uri when user does have a session

Question

Is there a addtional parameter & or workaround to get post_logout_redirect_uri to work if logout does not resolve internally in azure to a session. I am guessing no session & thus unkonwn client & thus no redirect? Just adding client_id=... does not seem to help.

I mean getting an uri to repeatable redirect back to app. https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https%3A%2F%2Flocalhost%2Fmyapp%2Flogout%2F%3F&client_id=<...>

Want to do this for a specific tennant rather than common but I guess its the same.

If user does not have a session - is it possible to still get a redirect e.g. able to write a uri & repeatable use it and get redirected. Don't want the logout to end up with close the window.

Answer 1

@llarsson , I apologize for the delay in my response. It took me some time as was busy trying to find the right answer for you to help you further with your query. Based on the internal discussions, I would say that, without session the logout redirect fails, since otherwise, it's an attack vector for open redirects. If we would use the request "https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https%3A%2F%2Flocalhost%2Fmyapp%2Flogout%2F%3F&client_id=<...>" without a session, it would like take you to the page that says, "Successfully logged out", but it won't redirect, as AAD, won't just redirect without a proper session since that's not a safe practice.

If there is no session, no redirects happen, but if there is a session, AAD does redirect the user to the post_redirect_uri as mentioned in the request.

Regarding the race condition you mentioned, ideally, there won't be any race condition as AAD does remember the session that it just deleted. There is a race condition if multiple apps all attempt to sign out at the same time, but that's not something that happens.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

Answer 2

@llarsson , Thank you for reaching out. When the logout endpoint is called all the sessions like your application session and also the session of Azure AD gets destroyed. After the session gets destroyed, the post_logout_redirect_uri is used to get the user and on a page where you can provide another sign-in button, so that the user can re-initiate the sign-in and create a new session.

If you want to get the logout to work for a particular session, make sure its a single-tenant application and instead of common, you specify the tenant-id there., so that when this request gets fired, it is sent to that specific tenant ID.

Not really clear on this ask "If user does not have a session - is it possible to still get a redirect e.g. able to write a uri & repeatable use it and get redirected. Don't want the logout to end up with close the window." If there is no user session available, then there is no way to get redirected from AAD to your redirect URI. Its always the application that redirects you to AAD, for either authentication or logout and then AAD redirects you back to the application's desired page based on the value mentioned in the redirect_uri

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

Answer 3

"If there is no user session available, then there is no way to get redirected from AAD to your redirect URI."
But it contains post_logout_redirect_uri & clientid so it would definitly be possible. Otherwise its kind of a race condition expiration of session vs logout & troublesome fault handling as user could end up with "you are logged out please close your browser" rather than do the normal processing e.g. if re-attempting/retry the logout and treating the previous attempt as "failed" logout for some reason.

Answer 4

I'll mark it as an answer as its a confirmation on what I have seen but curious how/why is it considered an attack vector? I simply does not understand that choice...