MSAL logout() function requires to select account for whom user wants to logout

amaleszewski commented 3 years ago

Library

[ ] msal@1.x.x or @azure/msal@1.x.x
[ ] @azure/msal-browser@2.x.x
[ ] @azure/msal-node@1.x.x
[x] @azure/msal-react@1.x.x
[ ] @azure/msal-angular@0.x.x
[ ] @azure/msal-angular@1.x.x
[ ] @azure/msal-angular@2.x.x
[ ] @azure/msal-angularjs@1.x.x

Framework

[ ] Angular
[x] React
[ ] Other

Description

According to https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/logout.md and code descriptions, MSAL is supposed to remove entire session and caches automatically by calling msalObj.logout();.

But, msal object always asks to choose which account to be logged out.

I found that this bug was also opened by another user, but it's closed without solution: https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/2024

Error Message

MSAL Configuration

export const msalConfig: Configuration = {
    auth: {
        clientId: clientId,
        authority: `https://login.microsoftonline.com/${tenantId}`,
        redirectUri: 'http://localhost:3000/dashboard',
        postLogoutRedirectUri: 'https://localhost:3000',
    },
    cache: {
        cacheLocation: 'localStorage',
        storeAuthStateInCookie: false,
    },
};

Reproduction steps

call msalInstance.logout()

Expected behavior

logout and clear cache without any user interaction

Identity Provider

[x] Azure AD
[ ] Azure B2C Basic Policy
[ ] Azure B2C Custom Policy
[ ] ADFS
[ ] Other

Browsers/Environment

[x] Chrome
[ ] Firefox
[ ] Edge
[ ] Safari
[ ] IE
[ ] Other (Please add browser name here)

Regression

[ ] Did this behavior work before? Version:

Security

[x] Is this issue security related?

Yes, because if you don't select account to sign out, then you can again go into application and after click 'logout' you are immediately logged in.

Source

[ ] Internal (Microsoft)
[ ] Customer request

jo-arroyo commented 3 years ago

@amaleszewski Unfortunately, this is a known issue with the AAD service. At this time, there is no way to bypass the logout account selection screen on logout. We would like to make improvements to this, but there are no plans to do so at present.

hectormmg commented 3 years ago

@amaleszewski just to complement @jo-arroyo's answer here, msalObj.logout() does clear the cache and session data on the client side (browser). The logout prompt you're seeing comes from the AAD service, because it needs to know which user to terminate the session for on the authentication server side. Like @jo-arroyo said, we're discussing possible improvements to this experience.

github-actions[bot] commented 3 years ago

This issue has not seen activity in 14 days. It will be closed in 7 days if it remains stale.

github-actions[bot] commented 3 years ago

This issue has been closed due to inactivity. If this has not been resolved please open a new issue. Thanks!

AzureAD / microsoft-authentication-library-for-js