Azure AD B2C Custom Policy: Logout to Azure AD OIDC IDP fails

mistry mehul 1 Reputation point
2021-11-01T21:23:54.107+00:00

We have Azure AD B2C custom policy and have enabled federated authentication with Azure AD tenant using OIDC protocol.

On user logout from B2C, openid-connect-technical-profile allows to propagate logout to Azure AD, the metadata attribute SingleLogoutEnabled is true by default.

Currently Azure AD OIDC v2.0 logout endpoint prompts for user to logout.

B2C OIDC technical profile seems to be invoking OIDC logout endpoint in background from an iframe, the user cannot respond to any prompts causing Azure AD logout request to fail silently.

There seems to be two possible alternatives:

  • B2C OIDC technical profile could issue interactive logout request to Azure AD endpoint, allowing the user to respond to respond on user selection prompt at Azure AD side. The logout request may have been initiated by B2C relying party, therefore B2C OIDC technical profile needs to include request query parameter post_logout_redirect_uri in logout request to Azure AD, to handle redirecting user back to relying part post logout uri.
    • Azure AD OIDC v2.0 logout endpoint has pending feature request to accept id token hint to avoid prompt to select the user. Eventually, for this option to work, B2C OIDC technical profile also needs to be enhanced to be able to pass id token hint to OIDC IDP logout endpoint.

Would be good to know whether there are any possible options / workarounds to have the user logged out of Azure AD IDP in current state, or we have to wait till both Azure AD logout endpoint has capability to accept id token hit as well as B2C OIDC technical profile have the capability to include id token hint to Azure AD.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,639 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Janusz Skop (c) 1 Reputation point
    2022-08-04T11:40:03.763+00:00

    Sorry for late answer but there's a workaround:

    • Register your client app in AAD (from which you cannot sign out)
    • Note logout endpoint in of AAD
    • Construct logout url (https://login.onmicrosoft.com/common/.....). Don't forget to specify client id and post logout redirect uri parameters
    • Handle post logout or user signed out event (can't remember exactly) provided by MSAL library in your client app in which you redirect user to constructed url

    That's it. I did this PoC in my previous work both in both ASP.NET Core MVC and React. In case of MVC it needs to be configured in Startup or Program (depending on .NET version) in React you do this in MSAL configuration part.

    0 comments