Developer Portal to set up Sign Out with OAUTH

[harithasajja]

Insight: We enabled developer portal user sign in with OAUTH. Azure active directory is our IDP & this is updated in identities in APIM. Developer portal is registered as client in AAD.

We are using Sign in with OAUTH function. The sign in works as expected with OAUTH.

`` Issue is with sign out process. There is no option to Sign out with OAUTH currently provisioned.

Hence we are using standard Signout function.

This is only enabling our users to sign out from their Developer portal session. This does not allow AAD session to be logged out. SO when user signs back in, it does not redirect them to go through login process, it just signs right back in. This is a security vulnerability & does not comply with our security requirements for 2FA.

We raised case with Microsoft. After reviewing our request, Microsoft Product Group recommended to request as open issue on GITHUB.

[azaslonov]

Thanks @harithasajja, indeed, we plan to leverage AAD signout functionality to address the concern.

[harithasajja]

Thanks Alex.

Thanks & Regards,

Haritha ERP Systems(EIT) 83439536

From: Alexander Zaslonov notifications@github.com Sent: Wednesday, 2 December 2020 2:16 am To: Azure/api-management-developer-portal api-management-developer-portal@noreply.github.com Cc: Haritha Sajja haritha.sajja@ntu.edu.sg; Mention mention@noreply.github.com Subject: Re: [Azure/api-management-developer-portal] Developer Portal to set up Sign Out with OAUTH (#1068)

Thanks @harithasajjahttps://github.com/harithasajja, indeed, we plan to leverage AAD signout functionality to address the concern.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/Azure/api-management-developer-portal/issues/1068#issuecomment-736729839, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ARD6TSG7N3DZUE2EVEA4CKDSSUXHFANCNFSM4UIU7PIA.

---

CONFIDENTIALITY: This email is intended solely for the person(s) named and may be confidential and/or privileged. If you are not the intended recipient, please delete it, notify us and do not copy, use, or disclose its contents. Towards a sustainable earth: Print only when necessary. Thank you.

[campifoo]

Any status on when this will be done? We are having same issue and trying to figure out a work around with our B2C tenant.

[mikebudzynski]

We don't have any update at this moment.

[wkarratoon]

I have updated this comment since originally posting to further emphasis that this is a Developer Portal bug:

We have in fact verified the B2C logout URI that we link to from our custom sign out button, does do the job of expiring the B2C (MSAL 2 library) tokens and logout from the B2C tenant. These MSAL tokens are not however cleared from the browser cache...but they are not the issue (expired). The issue is the Developer Portal SAS token is not cleared and not clearable manually in the browser either (it returns the next refresh after deletion). However /#signout does cleanout SAS.

This behavior makes a very strong case for a signout-oauth button to make this all more full proof for the Developer Portal administrative designer (see also https://github.com/Azure/api-management-developer-portal/issues/1301)

Is there any timeline yet?

[wkarratoon]

Here's link to MSAL 2 code that handles logout fine with cache clearance: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/%40azure/msal-browser_v2.7.0/lib/msal-browser/src/app/ClientApplication.ts#L553

Note the default /#signout mentioned in prior comment does not do anything regards AAD B2C session. I mentioned only for it's unique cleanup of the APIM SAS token (which MSAL does nothing about).

[davidipaq]

yes we are looking forward for that update too. Appreciate advice.

[ghost]

By adding this issue to the Backlog project, we have prioritized it for development. You can monitor its status in the project's board.

[wkarratoon]

Thank you Alexander! Do you know when will this be formally released/available for use for the managed Developer Portal?

-Mark

From: Alexander Zaslonov @. Sent: Friday, June 18, 2021 2:45 AM To: Azure/api-management-developer-portal @.> Cc: Arratoon, Mark @.>; Comment @.> Subject: Re: [Azure/api-management-developer-portal] Developer Portal to set up Sign Out with OAUTH (#1068)

Caution, this email may be from a sender outside Wolters Kluwer. Verify the sender and know the content is safe.

Closed #1068https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAzure%2Fapi-management-developer-portal%2Fissues%2F1068&data=04%7C01%7Cmark.arratoon%40wolterskluwer.com%7C344248d6aca340238b7008d931f24324%7C8ac76c91e7f141ffa89c3553b2da2c17%7C0%7C0%7C637595738871815632%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4RDIsvrO0suk8FW9uNq70nNBl5CFDjuji7SPvXL4B7o%3D&reserved=0 via #1346https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAzure%2Fapi-management-developer-portal%2Fpull%2F1346&data=04%7C01%7Cmark.arratoon%40wolterskluwer.com%7C344248d6aca340238b7008d931f24324%7C8ac76c91e7f141ffa89c3553b2da2c17%7C0%7C0%7C637595738871825625%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=mBPuKt2Ca%2FqyISB9UfYkSQdlhenfkA2C1ml7kexjr5I%3D&reserved=0.

- You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAzure%2Fapi-management-developer-portal%2Fissues%2F1068%23event-4907184762&data=04%7C01%7Cmark.arratoon%40wolterskluwer.com%7C344248d6aca340238b7008d931f24324%7C8ac76c91e7f141ffa89c3553b2da2c17%7C0%7C0%7C637595738871825625%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=D6HwvoPoVkwGeGz8PaCiRLJqBIlZa32f9yXr0dq9m3Y%3D&reserved=0, or unsubscribehttps://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAFSJ2P2O6Z5T5SA5JK5YEH3TTKJHTANCNFSM4UIU7PIA&data=04%7C01%7Cmark.arratoon%40wolterskluwer.com%7C344248d6aca340238b7008d931f24324%7C8ac76c91e7f141ffa89c3553b2da2c17%7C0%7C0%7C637595738871835623%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2BkMZaF9sjgBfVudrTQkx4Q1zpee8nzdDiS14Ks8Z3G8%3D&reserved=0.

[mikebudzynski]

@wkarratoon, the improvement is included in the just-released portal version 2.10.0. We expect to roll it out to all managed portals within the next 3-4 weeks.

[wkarratoon]

Please explain in a sequenced way what a Developer Portal developer using a B2C tenant is expected to do to get full sign-out (both B2C and default Developer Portal SAS token) working. I have tried various reply url settings in the modified B2C sign-in button and likewise for my custom sign out button and nothing works for complete sign out. Same issue is present. I was expecting that a simple sign out button link to /#signout or /signout and this would take care of everything - detecting you are using a B2C tenant as configured in the administrative interface. (There is no update to the documentation I could find either.)

[mikebudzynski]

@wkarratoon, have you republished your portal to make sure it's based off the latest release?

[wkarratoon]

@mikebudzynski, for our QA environment prior to fix/publishing we had a Sign out button linked to (tenantName is deliberately not exposed below):

https://**_tenantName_**.b2clogin.com/.onmicrosoft.com/B2C_1_devportal-signin/oauth2/v2.0/logout?post_logout_redirect_uri=https://**_devPortalDomainName_**/

This was able to logout of B2C but because default SAS token was still present you still appear authenticated and can view APIs. Getting user to additionally enter https://**_devPortalDomainName_**/#signout takes care of the SAS token. So I want to know what explicitly I need to do with button attributes/link assignments.

Our QA dev portal was republished and I set:

• Custom reply URL on Sign-in button OAuth/AAD B2C to https://**_devPortalDomainName_**/signin
• I then set a custom sign-out button link to https://**_devPortalDomainName_**/#signout

This does not work - it takes me to a generic https://login.microsoftonline.com/common/oauth2/v2.0/logoutsession page and if I then nav back to my home page again I am still logged in courtesy of SAS token.

So I need to know exactly what I should do or am missing here particularly what my custom sign-out button should link to (prior to this it was linked to a custom tenant B2C logout/redirect URL which achieved B2C logout but cannot clear SAS token (only mechanism I am aware of that does the latter is https://**_devPortalDomainName_**/#signout)

[vu-pb]

Having the same issues as @wkarratoon. Any update on this would be much appreciated!! Republished the portal yesterday too.

[azaslonov]

Hi @vu-pb, @wkarratoon, I assume you guys are running self-hosted portals? If yes, at least one thing you could check for your published website, is that AadSignOutRouteGuard gets executed during the sign-out.

[wkarratoon]

Not self-hosted but we are running our APIM service in a VNet behind App Gateway

[azaslonov]

Ok, I reproduced the issue: the token gets restored from the cookie which is not cleared in case of B2C sign-out. We'll fix this.

[wkarratoon]

When done could you also advise as to what we need to do? (There's no update to documentation.) Specifically, there was no new OAuth sign-out button - so what URL should we link to with our custom sign-out button?

For example, this: https://**_tenantName_**.b2clogin.com/.onmicrosoft.com/B2C_1_devportal-signin/oauth2/v2.0/logout?post_logout_redirect_uri=https://**_devPortalDomainName_**/

OR more simply this: https://**_devPortalDomainName_**/#signout with B2C logout handled automatically based on settings accessible from APIM?

[azaslonov]

When done, the handler for #signout route should take care of everything, effectively cleaning up dev portal and B2C sessions. No action on your side.

[claireyu1207]

@azaslonov I'm having a similar issue. when click a button to /#signout, it takes me to a generic https://login.microsoftonline.com/common/oauth2/v2.0/logoutsession page.

However we didn't set the Custom reply URL on Sign-in button OAuth/AAD B2C and we're running a self-hosted portal. For the AAD B2C sign-in, we are using the default official button provided and NO backend coding related customized.

How could we have a button simply log-out and redirect the user to current/ home page after that?

You had recommended to check is that AadSignOutRouteGuard gets executed during the sign-out. I added some breakpoints in chrome developer tool when signing out. You could refer to below capture, please let me know if I didn't locate the correct part of code

[AnRei123]

Currently, after logging in with a personal business account through the AAD button and signing out, it is not possible for a developer to log in again with a different (functional) account in a managed environment. How do you expect developers to easily login and switch between their different AAD accounts ? Should I raise an additional ticket for this describing this issue?

[azaslonov]

The issue should be fixed by now. Can anyone still reproduce it?

@AnRei123, sorry, missed your message. Same question, do you still encounter the issue?

[y10e]

@azaslonov I use managed Developer Portal. I re-published developer portal(create a new portal version and marking as current.) in this week but the same issue is continuing. The version is following.

https://xxx.developer.azure-api.net/internal-status-0123456789abcdef {"Status":200,"PortalVersion":"202111240222","CodeVersion":"20211104190824","Version":"0.23.1403.0","RoleNumber":"gwhost_1"}

I confirm that the following cookies were stored after sigin-in with "Azure AD B2C". But the following cookies still remain after clicking "sign-out"

I deleted these cookies manually. After deleting them, Sign-in Screen for Azure Active Directory B2C shows again normally. After I even clicked "#sign-out", Sign-in Screen for Azure Active Directory B2C does not shows and sign-in is done automatically without deleting these cookies .

[Maeve878]

Hello @azaslonov I use managed Developer Portal and sign in with OAUTH "Azure AD B2C". I'm having a similar issue. When click a button to /#signout,it takes me to https://login.microsoftonline.com/common/oauth2/v2.0/logoutsession page and Developer Portal SAS token is not cleared. When will it be fixed? Our service will be released on 26nd Dec 2021.

[azaslonov]

Hi @Maeve878, since you see https://login.microsoftonline.com/common/oauth2/v2.0/logoutsession, this means you've got the fix for the developer portal itself, - it terminates dev portal session, cleans up cookies, and execute B2C logout flow. The AAD/B2C session itself is out of APIM control. We're looking for advice from AAD teams right now, I'll keep you posted.

[Maeve878]

Hi @azaslonov, Thank you for your reply. When I see https://login.microsoftonline.com/common/oauth2/v2.0/logoutsession, If I don’t turn off the browser, and visit the developer portal again and click the Azure AD B2C OAUTH button, I will successfully sign in without authentication. I look forward to hearing from you.

[LeHaine]

We are seeing a similar issue where we can sign in just fine but using the /#signout doesn't actually seem to make a request to the B2C app's Front-channel logout URL in order to clear the session data.

Signing out does bring us to https://login.microsoftonline.com/common/oauth2/v2.0/logoutsession which terminates the developer portal session but never seems to run the actual B2C logout flow / make a request to that front-channel logout URL.

[MichdeJong]

Is there an update to this issue? We are suffering from the same thing.

Looking at the code I see some potential issues. In aadSignoutRouteGuard on line 31 it creates an msalConfig without specifying the authority. The authority (according to MSAL) defaults to "https://login.microsoftonline.com/common" and this is exactly what we see happening, the logoutPopup calls logoutsession on this url, instead of on our own B2C tenant url.

In comparison, see aadServiceV2 on line 83 where the authority url is included.

Unfortunately I am not in the position to test changes to this code myself.

Another thing I do not understand is that on aadSignoutRouteGuard on line 46 it calls /signout on the site itself. In my case this calls gives a 404?

[michelversluijs]

Hi, I would also appreciate an update on this issue. Release 2.23.0 fixed an issue where the 'Close account' button is now displayed for users signed in with delegation (#2073). This renders odd behavior in case of the B2C scenario: Users who decide to close their account can nevertheless sign in again without being asked for credentials.

[MichdeJong]

I have made an update that fixes this issue in our situation. I have created a PR so hopefully we can get this fix into the main branch.

See https://github.com/Azure/api-management-developer-portal/pull/2224

[JamesonSuper]

Hi, what do customers not self hosting have to do to get the fix contained within #2224? Do we need to wait for another release of the api-management-developer-portal? If so, when is this predicted to happen? Thanks.

[gillesev]

The #2224 fix has been merged into the /master branch on 10/17 however creating a new stv2.1 API Management service does not seem to contain the fix. Here is a screen shot of the theme.js file : .

[malincrist]

@JamesonSuper, @gillesev, the fix was not yet deployed for managed portals. We started a new release, please give it a few more days to reach all the regions. Apologies for the inconveniences created.

[JamesonSuper]

@malincrist, can you please update on the progress of this release? I do not see an updated release at https://github.com/Azure/api-management-developer-portal/releases. Thanks.

[JamesonSuper]

@malincrist, any update on the progress of deploying this fix to managed portals? I see release 2.25 contains this fix, but this has not applied to our managed instances. Any advice appreciated, thanks.

[malincrist]

@JamesonSuper , the release 2.25 was not yet deployed for all the managed portals, it is still in progress. ETA would be 1-2 weeks. Apologies for the delay.

[japsalem]

Here's what we did as workaround for this issue.

1. At the developer portal, set the sign-out menu link to AD B2C oAuth 2 logout. This will logout your session with AD B2C and also redirect to home page of your developer portal. (but not totally log-out from developer portal) _e.g. https://yourTenantName.b2clogin.com/.onmicrosoft.com/B2C_1_devportal-signin/oauth2/v2.0/logout?post_logout_redirect_uri=https://yourDevPortalName/signout_

2. At the application gateway, create a rewrite rule. The condition is if uri_path is signout, set a response header name "Set-Cookie" to "auth=". This will clear the "auth" cookie used by developer portal, and will force you to sign-in.