Open mrochon opened 3 years ago
Thanks @mrochon for raising an issue with repro steps (rather than proceeding by emails)
I believe you wrote that the MVC app was just created by dotnet new mvc --auth IndividualB2C
?
@jennyf19 this might be related to the auth schemes.
Yes, that’s correct.
Sent from Mailhttps://go.microsoft.com/fwlink/?LinkId=550986 for Windows 10
From: Jean-Marc @.> Sent: Wednesday, April 28, 2021 4:06 AM To: @.> Cc: @.>; @.> Subject: Re: [AzureAD/microsoft-identity-web] [Bug] Single signout invoked from B2C does not reset cookies of MVC apps (#1164)
Thanks @mrochonhttps://github.com/mrochon for raising an issue with repro steps (rather than proceeding by emails) I believe you wrote that the MVC app was just created by dotnet new mvc --auth IndividualB2C ?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/AzureAD/microsoft-identity-web/issues/1164#issuecomment-828366318, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAMKCKDQ7VRHWQWHJTZ7KYLTK7T3XANCNFSM43WAYQZQ.
Note that the middleware successfully deletes the auth cookie in the front-channel page. Why the cookie is then resurrected on a request from another browser page is for me the mystery (iframe?). Wouldn't an authentication scheme issue leave cookies unaffected?
Isn't this caused by the default .AspNetCore.Cookies
cookie being set with SameSite=lax
?
Then front-channel logout from an iframe in Azure AD (B2C) won't work as lax will prevent this.
I am facing the same issue with single sign out using Azure AD. It just doesn't work with lax cookies. Even chrome network debugger is complaining about this:
Which version of Microsoft Identity Web are you using? Note that to get help, you need to run the latest version. 1.9.1
Where is the issue?
Is this a new or an existing app? I am using two new applications registered in B2C.
Repro
Expected behavior after any application requesting signout from B2C, all applications with registered fron-channel signout urls should be signed out.
Actual behavior The MVC application has a non-null User object, with all original claims. User is not signed out.
Possible solution
Additional context / logs / screenshots From the Fiddler trace: Contents of 302 response message from http://localhost:4300/Microsoftidentity/Account/Signout Set-Cookie: .AspNetCore.Cookies=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; secure; samesite=lax; httponly Contents of request caused by above redirect (to https://localhost:4300 /signout/B2C_1A_SSOUTsignup_signin Cookie: ai_user=0WB9w50JOAGg/6XkHf0oyV|2020-12-11T23:01:17.707Z Contents of subsequent refresh to https://localhost:4300/ from another page in same browser: Cookie: ai_user=0WB9w50JOAGg/6XkHf0oyV|2020-12-11T23:01:17.707Z; .AspNetCore.Cookies=CfDJ8MFTB1ZzqFpPoAJV5LZpwVhlpH5RY675mJ0pPg8pRNmj2BIFYzWl28EJRrYGt-Qq7J5KrtDLtqJkwAy7czgI4aMDpMK7R6mVPld...