We have Azure AD B2C custom policy and have enabled federated authentication with Azure AD tenant using OIDC protocol.
On user logout from B2C, openid-connect-technical-profile allows to propagate logout to Azure AD, the metadata attribute SingleLogoutEnabled
is true
by default.
Currently Azure AD OIDC v2.0 logout endpoint prompts for user to logout.
B2C OIDC technical profile seems to be invoking OIDC logout endpoint in background from an iframe, the user cannot respond to any prompts causing Azure AD logout request to fail silently.
There seems to be two possible alternatives:
- B2C OIDC technical profile could issue interactive logout request to Azure AD endpoint, allowing the user to respond to respond on user selection prompt at Azure AD side. The logout request may have been initiated by B2C relying party, therefore B2C OIDC technical profile needs to include request query parameter post_logout_redirect_uri in logout request to Azure AD, to handle redirecting user back to relying part post logout uri.
- Azure AD OIDC v2.0 logout endpoint has pending feature request to accept id token hint to avoid prompt to select the user. Eventually, for this option to work, B2C OIDC technical profile also needs to be enhanced to be able to pass id token hint to OIDC IDP logout endpoint.
Would be good to know whether there are any possible options / workarounds to have the user logged out of Azure AD IDP in current state, or we have to wait till both Azure AD logout endpoint has capability to accept id token hit as well as B2C OIDC technical profile have the capability to include id token hint to Azure AD.