search

Azure-Samples / active-directory-b2c-custom-policy-starterpack

Azure AD B2C now allows uploading of a Custom Policy which allows full control and customization of the Identity Experience Framework
http://aka.ms/aadb2ccustom
MIT License
326 stars 386 forks source link

Is it possible to use Single Sign-Out for Azure B2C SPA application? Where do you describe the logout URL #152

Open xtianus79 opened 12 months ago

xtianus79 commented 12 months ago

The Azure B2C documentation states that it supports Single Log Out (SLO) but I can't figure out how this works with a registered SPA application.

If one app is registered in B2C app1.mydomain.com and another app app2.mycomain.com As well, there is a Front-channel logout URL Which is described to be something that will log out the application specifically:

When Azure AD B2C receives the logout request, it uses a front-channel HTML iframe to send an HTTP request to the registered logout URL of each participating application that the user is currently signed in to. Note, the application that triggers the sign-out request will not get this log-out message. Your applications must respond to the sign-out request by clearing the application session that identifies the user.

  • For OpenID Connect and OAuth2 applications, Azure AD B2C sends an HTTP GET request to the registered logout URL.
  • For SAML applications, Azure AD B2C sends a SAML logout request to the registered logout URL.

This is a setting that is in the app registration and for SPA applications there is nothing that you can do to reference the "log out" url.

The front-channel logout URL is predefined as https://<your-tenant-name>.b2clogin.com/<your-tenant-name>.onmicrosoft.com/<PolicyName>/oauth2/v2.0/logout

So if this is supposed to send an HTML iframe to "logout" of the other applications that it knows about. Where can you add the logout URL? It's not in the custom policy or flow.

Other documentation suggest this:

Yes, you need to manually clear the local storage or handle it using your application.

What does that mean? How can we manually clear the cookies if the functionality of the SLO can't work because it is not knowing about the logout URL's of the applications?

Can we edit the front-channel logout URL to our domains i.e. app1.mydomain.com/logout which then would do something to hit the endpoint and then redirect them to the original Front-Channel logout URL?

Or, do we have to run the checks on the token for each app upon browser refresh and silent refresh capabilities of B2C?

vlmironov commented 5 months ago

@xtianus79 This helped me a ton to understand how Single Sign Out works: https://youtu.be/AmDHni22TVs?si=77DXrYN0XwLS8fk6