[Bug] Single signout invoked from B2C does not reset cookies of MVC apps

[mrochon]

Which version of Microsoft Identity Web are you using? Note that to get help, you need to run the latest version. 1.9.1

Where is the issue?

• Web app
  • [ ] Sign-in users
  • [ ] Sign-in users and call web APIs
• Web API
  • [ ] Protected web APIs (validating tokens)
  • [ ] Protected web APIs (validating scopes)
  • [ ] Protected web APIs call downstream web APIs
• Token cache serialization
  • [ ] In-memory caches
  • [ ] Session caches
  • [ ] Distributed caches
• Other (please describe)
• Single signout invoked by one app does not reset cookies of other apps running in same browser. From the Fiddler trace it appears that other apps running in same browser are issued a signout GET request from the front-channel signout page frames and the code correctly sends a delete authentication cookie response. However, when reloaded in a different page of same browser, the original authentication cookie is sent back to the application. The application is thus still in signed-in state.

Is this a new or an existing app? I am using two new applications registered in B2C.

Repro

1. Sign-in from an MVC app
2. Enter signout request for some other application to the same b2C instance
3. Refresh the page of the MVC application

Expected behavior after any application requesting signout from B2C, all applications with registered fron-channel signout urls should be signed out.

Actual behavior The MVC application has a non-null User object, with all original claims. User is not signed out.

Possible solution

Additional context / logs / screenshots From the Fiddler trace: Contents of 302 response message from http://localhost:4300/Microsoftidentity/Account/Signout Set-Cookie: .AspNetCore.Cookies=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; secure; samesite=lax; httponly Contents of request caused by above redirect (to https://localhost:4300 /signout/B2C_1A_SSOUTsignup_signin Cookie: ai_user=0WB9w50JOAGg/6XkHf0oyV|2020-12-11T23:01:17.707Z Contents of subsequent refresh to https://localhost:4300/ from another page in same browser: Cookie: ai_user=0WB9w50JOAGg/6XkHf0oyV|2020-12-11T23:01:17.707Z; .AspNetCore.Cookies=CfDJ8MFTB1ZzqFpPoAJV5LZpwVhlpH5RY675mJ0pPg8pRNmj2BIFYzWl28EJRrYGt-Qq7J5KrtDLtqJkwAy7czgI4aMDpMK7R6mVPld...

[jmprieur]

Thanks @mrochon for raising an issue with repro steps (rather than proceeding by emails) I believe you wrote that the MVC app was just created by dotnet new mvc --auth IndividualB2C ?

[jmprieur]

@jennyf19 this might be related to the auth schemes.

[mrochon]

Yes, that’s correct.

Sent from Mailhttps://go.microsoft.com/fwlink/?LinkId=550986 for Windows 10

From: Jean-Marc @.> Sent: Wednesday, April 28, 2021 4:06 AM To: @.> Cc: @.>; @.> Subject: Re: [AzureAD/microsoft-identity-web] [Bug] Single signout invoked from B2C does not reset cookies of MVC apps (#1164)

Thanks @mrochonhttps://github.com/mrochon for raising an issue with repro steps (rather than proceeding by emails) I believe you wrote that the MVC app was just created by dotnet new mvc --auth IndividualB2C ?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/AzureAD/microsoft-identity-web/issues/1164#issuecomment-828366318, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAMKCKDQ7VRHWQWHJTZ7KYLTK7T3XANCNFSM43WAYQZQ.

[mrochon]

Note that the middleware successfully deletes the auth cookie in the front-channel page. Why the cookie is then resurrected on a request from another browser page is for me the mystery (iframe?). Wouldn't an authentication scheme issue leave cookies unaffected?

[kamilzzz]

Isn't this caused by the default .AspNetCore.Cookies cookie being set with SameSite=lax? Then front-channel logout from an iframe in Azure AD (B2C) won't work as lax will prevent this.

I am facing the same issue with single sign out using Azure AD. It just doesn't work with lax cookies. Even chrome network debugger is complaining about this: