Azure AD B2c automatice session timeout not happening

2022-02-03T17:02:26.697+00:00

I have React Application which is using Azure AD B2C to authenticate users. The session configuration in the Azure portal is set to expire within 15min. But after 15 min the session does not expire at all.

My testing process:

I login using Azure AD B2C login page, after successful login the user will be redirected to homepage. Where I leave the page inactive for 15min and after that I refresh the page, instead of logout due to session inactivity. The app remain active.

Expected Behaviour:

The session should automatically expire after 15min of inactivity and should take the user to Azure login page.

Actual Behaviour:

Application does not timeout after 15 mins inactive period it still continue to navigate between pages

Find below the configurations:

171102-image.png

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,634 questions
{count} votes

8 answers

Sort by: Most helpful
  1. Nathan J Graham 6 Reputation points
    2022-08-29T14:32:43.587+00:00

    Can anyone confirm whether there is a solution to this issue? I am still experiencing the exact same problem with our Angular application. Both the web session and token lifetime values are set to 15 minutes. The user is never signed out.

    1 person found this answer helpful.
    0 comments No comments

  2. Shweta Mathur 27,141 Reputation points Microsoft Employee
    2022-02-07T12:40:22.007+00:00

    Hi @Priyadarshini Muthuraman (One IT IBM) ,

    Apologies for delay in response.

    Azure AD B2C manages three types of SSO sessions:
    • Session managed by Azure AD B2C
    • Session managed by IP
    • Session managed by application (Web or SPA)

    The session configuration in Azure portal set by 15 min is managed by Azure AD B2C which store a cookie-based session on web browser.

    Also, Web or single page application can be protected by an OAuth2 access token and whenever user tries to access, the application check weather there is an active session on the application side and reauthenticate the user without entering the credentials again.

    When you want to sign the user out of the application, it isn't enough to clear the application's cookies or otherwise end the session with the user. You need to redirect your application to do a sign out by redirecting to the end_session_endpoint that is listed in the OpenID Connect metadata document.

    GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/logout?post_logout_redirect_uri=https%3A%2F%2Fjwt.ms%2F

    Upon a sign-out request, Azure AD B2C invalidates the Azure AD B2C cookie-based session, and attempts to sign out from federated identity providers.

    If you use the post_logout_redirect_uri parameter (optional), then the user should be redirected to that URL after successful sign out.

    Hope this will helps.

    Thanks,
    Shweta

    ----------------------------------------------------------------------------------

    Please remember to "Accept Answer" if answer helped you.

    0 comments No comments

  3. Vasant Horapeti 1 Reputation point
    2022-02-27T10:15:30.477+00:00

    @Shweta Mathur . The question is with respect to without user clicking on Sign-out button, Any web application which has authentication, if there is no user activity, it should automatically sign out after it has crossed session lifetime. What is the configuration we have to do for user to sign out automatically if there is activity from user, currently we have 15 mins session life time, would like user to be automatically sign out if there is no activity, if user comes back after 20 mins (just an example), clicks on a page, it should automatically sign-out. What configure we have to change to achieve this session behavior?


  4. Anonymous
    2022-08-17T06:00:01.35+00:00

    I have faced the same problem. I have NextJS app and the way how "Session behavior" works is similar to what is described as problems in the messages above. "Web app session lifetime (minutes)" does not work. I set the time limit for 15 minutes - the auto logout does not take place.
    Is there a solution to this problem now?

    0 comments No comments

  5. Oleh Sharyk 6 Reputation points
    2022-08-29T14:39:06.323+00:00

    Unfortunately no solutions.
    What I found for React apps (I think same issue for Angular, as Angular also SPA):

    Refresh tokens sent to a redirect URI registered as Single Page Application expire after 24 hours.
    It's declared in https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens#token-timeouts. More info https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/token-lifetimes.md#token-lifetimes-expiration-and-renewal and in the https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/4056#issuecomment-917246299 in github issue.