Home > Net >  Sign Out Of All Accounts When RedirectURI returns to guarded application
Sign Out Of All Accounts When RedirectURI returns to guarded application

Time:01-08

I am using MSALjs to logout a user on my application. When the msalService.logoutRedirect() is triggered, the page redirects and is logged out. However, my application does not have an "un-guarded" route, thus the redirect after logout (postLogoutRedirectUri) is set to return to the application's last active page. And when it returns to the application, the MSAL guard automatically finds a valid MS session and logs back in again automatically (after redirects).

If I change the postLogoutRedirectUri to https://login.microsoftonline.com/common/oauth2/logout, the logout does work and I am signed out correctly. However, I would like to immediately be prompted to sign back in, which is why I intend on returning to the application so the MsalGuard can prompt sign in.

Per a recent GitHub issue , one of the MSAL contributors said the following:

This is a nuance of how B2C works. By default B2C might not log you out of your federated identity provider when you call the logout endpoint, this is explained in more detail here. I unfortunately don't know enough about B2C configuration to give you a definitive answer but you may need to create a custom policy which redirects to the AAD logout endpoint you mentioned: 'https://login.microsoftonline.com/common/oauth2/logout' as this endpoint is the one that ultimately closes your session with AAD. You can also have B2C pass through your postLogoutRedirectUri to this endpoint so that AAD redirects you back to your application after the logout instead of ending on the "Close this window" screen, if desired.

How can I set this up so the logout is triggered correctly and all sessions are signed out?

Furthermore, if I manually change the metadata of the openid-config to have the "end_session_endpoint" equal to the microsoftonline logout link from above, the behavior seems to be more in line with what I would expect.

CodePudding user response:

You could send the apps post logout redirect uri to the federated IdPs logout url. You can set the postLogoutRedirectURI in MSAL config object.

And at the federated IdP, set the logout url to the application.

Approach only works if you are using 1 federated IdP, and is the only IdP available.


function signOut() {
    const logoutRequest = {
     postLogoutRedirectUri: "https://login.microsoftonline.com/common/oauth2/v2.0/logout?
post_logout_redirect_uri=https://myapp.com"
     msalConfig.auth.redirectUri
    };
    myMSALObj.logoutPopup(logoutRequest);
}

Otherwise, make an unguarded page in your app that redirects to the guarded page, but sets the MSAL prompt parameter to “login”. At least then the B2C login page will appear, and allow the user to select how they want to login. They may still get SSO if they select a federated IdP.

Page link:https//www.codepudding.com/net/255680.html

Prev:Dropbox interfering with git push on Windows Subsystem for Linux
Next:Lower disk sizes in Azure with high IOPS
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding