Open david-palladino opened 3 years ago
do you have repro steps @david-palladino ? for instance using this sample? https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/4-WebApp-your-API/4-2-B2C
@jmprieur please see this repo with my Blazor Server app here: https://github.com/david-palladino/BlazorServerAzureADB2CApp
You'll just need to update the appsettings.json with the details of your Azure AD B2C tenant before running.
Steps to reproduce issue are: 1) Login 2) Click the "Sign out" link in the upper right of the app.
Thanks.
Would it possible to modify the SignOut method in Microsoft.Identity.Web.UI - AccountController.cs to invalidate the user's access token on the server?
My app using Microsoft.Identity.Web.UI 1.16.0 and Azure AD B2C. It failed a security test because after "MicrosoftIdentity/Account/SignOut" was called the security tester discovered that he was able to continue using the access token found within .AspNetCore.Cookies.
I discovered that Graph Api has a revokeSignInSessions method which at first glance would appear to invalidate the access token but upon more research I see that it only invalidates refresh tokens.
Thanks