azure ad signout flow

Question

azure ad signout flow

testuser7 286

As we know,

When user tries to open any desktop-app on AAD-joined windows box, this desktop-app talks with WAM and with help of the Primary Refresh Token WAM gets the access and id-token and hand it over to the app so that app can let user into the application seamlessly.

This is how user enjoys SSO

Now if user wants to logout from the app, app can clear everything in its repository.
However, what happens at the WAM ?
Does app communicate with the WAM and does WAM communicate with AAD about this logout ?
Is any browser-cookie involved in this flow to clear out ?

Thanks.

risolis 8,741 Reputation points

2022-06-26T05:43:21.25+00:00

Hello @testuser7

Thank you for your great post.

I may say that this is the way this should work based on your statement.

A Primary Refresh Token (PRT) is a key artifact of Azure AD authentication on Windows 10 or newer, Windows Server 2016 and later versions, iOS, and Android devices. It is a JSON Web Token (JWT) specially issued to Microsoft first party token brokers to enable single sign-on (SSO) across the applications used on those devices. In this article, we will provide details on how a PRT is issued, used, and protected on Windows 10 or newer devices.

https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token

Hoping this was useful for you : )

Looking forward to your feedback,

Cheers,

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
testuser7 286 Reputation points

2022-06-26T12:20:43.713+00:00

thanks @risolis

I am sorry but you did not answer my specific question.
I have gone through that link several times.

It is good link but not going in more detail.
I am asking about those detail.

if you can , just focus on what I have written and help me understand where it is fitting ?

2 answers

Your answer

risolis 8,741 Reputation points

2022-06-26T05:43:21.25+00:00

Hello @testuser7

Thank you for your great post.

I may say that this is the way this should work based on your statement.

A Primary Refresh Token (PRT) is a key artifact of Azure AD authentication on Windows 10 or newer, Windows Server 2016 and later versions, iOS, and Android devices. It is a JSON Web Token (JWT) specially issued to Microsoft first party token brokers to enable single sign-on (SSO) across the applications used on those devices. In this article, we will provide details on how a PRT is issued, used, and protected on Windows 10 or newer devices.

https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token

Hoping this was useful for you : )

Looking forward to your feedback,

Cheers,

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
testuser7 286 Reputation points

2022-06-26T12:20:43.713+00:00

thanks @risolis

I am sorry but you did not answer my specific question.
I have gone through that link several times.

It is good link but not going in more detail.
I am asking about those detail.

if you can , just focus on what I have written and help me understand where it is fitting ?

Answer 1

Your welcome @testuser7

Thank you for your response back.

This is my humble opinion on this one... Read below : )

For instance, you need to keep in mind that if you do not have session persistence on your Identity environment, the web cookie will be dropped. In case you have a proxy identity service it will be authenticated to it and if not, then will occur the following:

The sign-in frequency setting works with 3rd party SAML applications and apps that have implemented OAuth2 or OIDC protocols, as long as they don't drop their own cookies and are redirected back to Azure AD for authentication on regular basis.

Looking forward to your feedback,

Regards,

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Moderator

Hello @testuser7 , WAM SignOutAsync() can be called programmatically by any application and will clear all cached tokens associated with the account, and tell the provider to invalidate any tokens associated with the account for such app.

Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it and complete the quality survey so that others in the community with similar questions can more easily find a rated solution.

testuser7 286 Reputation points

2022-06-27T12:07:21.797+00:00

Thanks @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA
This is what I was trying to find .

So when any desktop-app sends a request to WAM to get the token so that app can call that service-provider (eg. graph) as shown below

WebTokenRequest request = new WebTokenRequest(provider, "User.Read", clientId);
request.Properties.Add("resource", "https://graph.microsoft.com");
WebTokenRequestResult result = await WebAuthenticationCoreManager.RequestTokenAsync(request);

If user has NOT already granted the requested scopes to this app then will WAM make it interactive ??
Meaning, will WAM open the browser context and route the user to AAD to complete the consent flow ?

Thanks.
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2022-06-28T20:10:17.823+00:00

Hello @testuser7 , that's correct. UI will be displayed if required.

Please let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, remember to accept it and complete the quality survey so that others in the community with similar questions can more easily find a rated solution.
testuser7 286 Reputation points

2022-06-30T16:25:43.887+00:00

Thanks @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA for validating.
So WAM indeed opens the browser context to complete the residual work.
It may not be for consenting the scopes. But it could be for completing MFA (because the PRT may not have mfa claim stamped in it yet)

Coming back to sign-out flow, when user intends to sign out from the desktop-app, the app will clear everything in its repo and calls the WAM SignOutAsync()
This will Signs the web account out asynchronously.
This clears all cached tokens i.e., refresh-tokens associated with the account, and tells AAD to invalidate any tokens associated with the account for this app.

But my point is, the PRT is still live and active.
So if the same user opens this app again from Start menu, WAM will use the PRT and get tokens for the app again. Right ??

I am not following what is the actual outcome of desktop sign-out ??

Thanks.
testuser7 286 Reputation points

2022-07-09T13:19:31.107+00:00

Hi @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA
Any update on above point ?

I am not calling it an issue as such because that is the behavior I would expect.
I just want to make sure that I am thinking straight and not missing any important concept around it.
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2022-07-10T00:35:58.407+00:00

Hello @testuser7 , scope consenting should also be part of the UX. Yes, PRT will still be alive and active and thus can be used to get additional tokens unless 14 days have passed since the last time it was used, the user has been de and re-activated, the device is no longer valid, the password has changed or there is a TPM issue. For more information take a look to How is a PRT invalidated?

Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it and complete the quality survey so that others in the community with similar questions can more easily find a rated solution.

Share via

azure ad signout flow

2 answers

Your answer