search

azure-ad-b2c / samples

Azure AD B2C custom policy solutions and samples.
814 stars 596 forks source link

Logout_hint parameter not being added to AAD identity provider logout URL in B2C custom policy #525

Closed a-dovgal closed 1 year ago

a-dovgal commented 1 year ago

I am trying to add a logout_hint parameter to the logout URL for a B2B identity provider in an Azure AD B2C custom policy.

I have verified that the login_hint parameter is being added correctly to the user's token claims, and have checked that the claims transformation is correctly referenced in the technical profile(s). I can see from the network traffic that a logout request is being sent when the user signs out. However, the logout_hint parameter is not being added to the identity provider logout URL when a user signs out.

Is there something else that I need to do in order to ensure that the logout_hint parameter is added to the identity provider logout URL? Any guidance or assistance would be greatly appreciated.

Thank you.

JasSuri commented 1 year ago

When Azure AD B2C makes a request to any Identity Provider logout endpoint, it simply makes a GET request to the configured endpoint, without any further parameters. There is no special treatment for logout requests sent to AAD from AAD B2C.

a-dovgal commented 1 year ago

@JasSuri Let me provide a bit more information. In b2c policy, I added functionality for single sign-out. And when the user logs out of b2c, a logout request from the federated identity provider (https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/logout) is sent in the background, but the user is not logged out of this federated identity provider. If the user simply opens the link https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/logout in the browser, the user will need to select an account for the logout. But if the user follows the link https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/logout?logout_hint={login_hint} - he will be logged out of the federated identity provider. Accordingly, I need to somehow make sure that the logout_hint parameter is added to the logout link from the federated identity provider when the user logs out from b2c and a logout request from the federated identity provider is sent in the background.

So, my goal is to log a user out of the federated IDP when the user logs out of the application.