postLogoutRedirectUri not working when authority url contains a tenant ID

[chill0216]

Core Library

MSAL.js v2 (@azure/msal-browser)

Core Library Version

2.30.0

Wrapper Library

MSAL React (@azure/msal-react)

Wrapper Library Version

1.4.9

Public or Confidential Client?

Public

Description

When I modify the authority value to include the tenant ID (e.g., 'https://login.microsoftonline.com/{your-tenant-id}') and then log out, the browser fails to redirect me back to my application. However, if I use "common" in the URL, the redirect works as expected.

I have also confirmed that the logout URL is properly set in the Azure portal, but the issue persists.

Notably, the issue only occurs when using a tenant-specific authority URL, as it works fine with the default 'https://login.microsoftonline.com/common' URL.

Error Message

No response

Msal Logs

No response

MSAL Configuration

export const msalConfig = {
    auth: {
        clientId: "{your-client-id}",
        authority: 'https://login.microsoftonline.com/{your-tenant-id}',
        redirectUri: "/",
        postLogoutRedirectUri: "/",
    },
    cache: {
        cacheLocation: "localStorage",
        storeAuthStateInCookie: false,
    },
};

Relevant Code Snippets

const handleLogout = () =>
    instance.logoutRedirect({
        postLogoutRedirectUri: '/',
    });

Reproduction Steps

1. Change the authority to 'https://login.microsoftonline.com/{your-tenant-id}' and log in using your credentials.
2. Log out and observe that you are not redirected back to the local host.
3. Update the authority to 'https://login.microsoftonline.com/common' and log in again.
4. Log out and notice that you are now redirected back to my application.

Expected Behavior

I anticipate that when logging out with the tenant ID in the authority URL, the browser should redirect the user to the application, similar to how it behaves when the authority URL contains "common".

Identity Provider

Azure AD / MSA

Browsers Affected (Select all that apply)

Chrome

Regression

No response

Source

Internal (Microsoft)

[lalimasharda]

Hey @chill0216 ,

Are you seeing any errors in the console when you use the tenant id?

[chill0216]

Hey @chill0216 ,

Are you seeing any errors in the console when you use the tenant id?

I am not seeing any errors, no. It just logs me out stays on this screen:

[lalimasharda]

Okay, it seems that you are stuck on the log out page and it isn't redirecting back to your application. Can you try changing your postLogoutRedirectUri to a different uri like '/logout' or '/homepage' in your application? Are you experiencing this in logout popup as well?

I do not think tenantid is causing an issue here. Especially because you are able to login with the same authority uri.

[chill0216]

@lalimasharda Yes, I attempted to modify the URI, but it was unsuccessful. I also tried this using the MSAL react sample application in this repo and the same thing happens. It doesn't redirect me back to the application unless authority is https://login.microsoftonline.com/common.

https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-react-samples/react-router-sample

After initiating the logoutPopup, I am logged out within the popup and directed to the "You signed out of your account" page, however, the popup remains open and does not close unless I manually close it.

Were you able to reproduce my issue on your end?

[lalimasharda]

Yes, I did try reproducing it with that sample above with the Microsoft tenant id and it worked for me. Can you please share your verbose msal logs.. maybe I can compare it with mine and see where exactly it is failing?

[chill0216]

@lalimasharda By the way, have you tested the application on Chrome? I tested it on Safari earlier and it worked without any issues. Whenever I signed out, it always redirected me back to the application. However, I noticed that when I tried it on Chrome or Firefox, the redirect feature didn't work as expected.

Yes, here are all of the logs that I see when logging out:

[Sat, 11 Mar 2023 19:25:35 GMT] : @azure/msal-browser@2.33.0 : Info - Emitting event: msal:logoutStart
VM30:16943 
[Sat, 11 Mar 2023 19:25:35 GMT] : @azure/msal-react@1.5.3 : Info - MsalProvider - msal:logoutStart results in setting inProgress from none to logout
VM30:16943 
[Sat, 11 Mar 2023 19:25:35 GMT] : @azure/msal-browser@2.33.0 : Info - Emitting event: msal:logoutSuccess

[benaguitar]

@chill0216 I have a very similar issue on the angular version. Mine works in Safari but not in chrome or Firefox. I have recently discovered if I create a new user in AD and login using that new user it redirects correctly but does not if using the main admin AD user or external users such as a gmail account that was invited.

The other way it works is if I am in incognito mode or set third party cookies to be blocked in non incognito mode.

I’m curious if you have the same outcome?

[chill0216]

Hey @benaguitar, I had the exact same issue as you! I just made a new user in AD, logged in, and then logged out and was redirected back to the app correctly. It just doesn't work for the primary admin user and external users.

@lalimasharda, looks like this same bug occurs for both @benaguitar and I.

[chill0216]

Hey @sameerag , let me know if you can help us resolve this issue. Thanks

[sameerag]

@chill0216 To summarize, AAD users work, guest users are not redirected. Correct? What do you mean by primary admin user?

[chill0216]

@sameerag Sorry, by primary user I mean the user account that I used to create the Azure account (screenshot 1 - cjhill0216@gmail.com). This user account does not get redirected back to the app after logging out. However, the “Delete” user (screenshot 2) that I created by selecting “New User” > “Create new user” does get redirected back to the app after logging out.

Screenshot 1

Screenshot 2

[sameerag]

@chill0216 Can you share the requests for both cases when you logout? I want to check the value of postLogoutUri in the STS request for both the cases.

e.g.,

https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https%3A%2F%2Flocalhost%2Fmyapp%2Flogout%2F%3F&client_id=<..

[chill0216]

@sameerag For cjhill0216@gmail.com, it is https://login.microsoftonline.com/37ac774b-b8b2-4d6a-bb92-92dbfb5fdf77/oauth2/v2.0/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A4200%2F&client-request-id=cc0567cc-2c3e-4e80-ae6d-12cb12a5a093 (Doesn't redirect)

For delete@cjhill0216gmail.onmicrosoft.com, it is https://login.microsoftonline.com/37ac774b-b8b2-4d6a-bb92-92dbfb5fdf77/oauth2/v2.0/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A4200%2F&client-request-id=ab8c1033-f4d7-4354-8c78-bda9f8709108 (Does redirect)

[chill0216]

@sameerag Any update on this?

[sameerag]

@chill0216 This could be a service issue or you may be having a session in one case and do not in another (in which case STS deems this is not a safe route to redirect and does not redirect). To know what is what, can you please share the fiddler trace for both cases? You can send them to my email (which is in my profile).

[chill0216]

@sameerag Sent the Fiddler trace for both. Let me know if you need me to send it in a different format

[sameerag]

Thanks @chill0216 for the logs. @konstantin-msft is checking them, one of us will reach out once we have some info.

[chill0216]

Thank a lot!

On Thu, Mar 23, 2023 at 12:05 AM Sameera Gajjarapu @.***> wrote:

Thanks @chill0216 https://github.com/chill0216 for the logs. @konstantin-msft https://github.com/konstantin-msft is checking them, one of us will reach out once we have some info.

— Reply to this email directly, view it on GitHub https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/5783#issuecomment-1480572766, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB2A5OYDWMGKDM4RDFHYRIDW5PD2FANCNFSM6AAAAAAVV4YTV4 . You are receiving this because you were mentioned.Message ID: <AzureAD/microsoft-authentication-library-for-js/issues/5783/1480572766@ github.com>

[ghost]

This issue requires attention from the MSAL.js team and has not seen activity in 5 days. @hectormmg please follow up.

[sameerag]

@hectormmg cc

[chill0216]

Any update on this @jo-arroyo?

[tnorling]

Your logs show that the post logout redirection did not occur because there was no session found to log out of. This can happen if the tenant the user is signed into is different from the tenant you are attempting to sign out of, as would be the case for external users. Is there a reason you don't want to use the /common endpoint? That's what we would normally recommend using in all cases, including in cases where you signed in to a specific tenant.

[chill0216]

@tnorling Hmm, what would be the case for the user account that I used to create the Azure account not redirecting back to the login page? This is not an external user.

Also, I have tried https://login.microsoftonline.com/common as the authority, but I get an "invalid request" error message: errors: ["invalid_request", "invalid_request", "invalid_request"]. I don't think I can use /common since this is a single-tenant app. Is that correct?

[tnorling]

Is there any more detail on the invalid_request?

[tnorling]

The fiddler trace you shared before just had the logout request and errored out due to there not being an existing session. If you can send me a fiddler trace showing both a login and the subsequent failed logout with a non-external user I can share it with our server teams and see if they know what's going on.

[chill0216]

@tnorling I sent over the logs to your email. Let me know if you need anything else.

[tnorling]

I responded over email with a few additional questions, please take a moment to answer those questions when you can. Thanks!

[chill0216]

@tnorling Ok, I will get a response to those questions over to you today.

[ghost]

@chill0216 This issue has been automatically marked as stale because it is marked as requiring author feedback but has not had any activity for 5 days. If your issue has been resolved please let us know by closing the issue. If your issue has not been resolved please leave a comment to keep this open. It will be closed automatically in 7 days if it remains stale.

[chill0216]

Hey, @tnorling, I'm planning to send you an email to provide a more detailed explanation of the issue I'm currently experiencing. Additionally, I'll include a screen recording to help illustrate the problem.

[lekpeng]

hi just wondering if there has been any solution/follow up to this? i think i might be facing the same problem

[gfmoreira]

If you use useCallback it will work fine. Solved it for me, it was exactly the same problem.

const { instance } = useMsal();
const logout = useCallback(() => {
        instance.logoutRedirect({
            postLogoutRedirectUri: '/',
            mainWindowRedirectUri: '/',
        });
    }, [instance]);

[rahulhinge]

Hello, I am too facing the same issue. Is there any solution for this issue please?

[StijnAvdL]

Hi, I'm also stuck on this issue. Is there any update on this? Thanks in advance!

[rahulhinge]

It is only working for me with 'common' url. Redirect url is configured on AzureBC -> Registred Application Following is my code sample. Hope this helps. const { instance } = useMsal();

const handleLogout = () =>{ const logoutRequest = { authority: 'https://login.microsoftonline.com/common' };

instance.logoutRedirect(logoutRequest); }

On logout, it asks to pick a account then it momentarily shows sreen to close all browser windows and then redirects to suggested page. Does anyone know how to bypass 'Pick an Account' and 'Close all Browser windows' screen please?

[MirzaMerdovic]

I am experiencing the same issue as other. I can see in console logs that logout is being executed correctly, and post logout url is correct, but redirect doesn't happen

[turenc]

        const msalLogoutUrl: string = `${msalConfig.authority}/oauth2/v2.0/logout?post_logout_redirect_uri=${window.location.origin}${msalConfig.postLogoutRedirectUri}&client_id=${msalConfig.clientId}`;
        window.location.replace(msalLogoutUrl);

I am experiencing the same issue as other.

[Rablet]

I had the same issue with the confidential client and noticed including the login_hint query param fixed the issue for me. Might be worth trying if it's supported in the public client as well?

It's described here: https://learn.microsoft.com/en-gb/entra/identity-platform/v2-protocols-oidc#send-a-sign-out-request:~:text=logout_hint,of%20the%20logout_hint%20parameter.

[efedericomedina]

I am having this issue a well when login out with the admin account that is .gmail, but it works when I logout with a test user.

[ManelBH]

I'm also having this issue. Any news on this?

[snathanail]

So what I did to fix this was the following. I had set up my application on Microsoft Entra ID - App Registrations. In the Authentication tab, in Single-page Application section I added the logout callback URI as follows:

A couple of minutes later, the logout started redirecting me back to my app!

Apparently we need to "whitelist" the logout redirect url.

HTH