question

fhtino avatar image
0 Votes"
fhtino asked fhtino commented

app service easyauth logout without logging out from provider

I'm using "EasyAuth" on a web an Azure App Service.
https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-how-to

Everything works as expected but not the logout process. When I call https://mysite/.auth/logout from the browser, I lose my Microsoft account session in the browser and I find my self signed out from all Microsoft related website (e.g. outlook.com, onedrive, etc) because the logout process triggered by EasyAuth forces the logout from the identity provider instead of simply logging out from my web-site.
As far as I understand, this is mentioned in the documentation (link above):

For Azure Active Directory and Google, performs a server-side sign-out on the identity provider.

A question and a note:
- is there a way to logout from my webapp without loosing access to other microsoft services.
- the documentation mentions Google as same behavior but in my tests, when I logout during a visit authenticated by Google, I do not find my self kicked out of Google services. So I suppose documentation is wrong.

Any idea / suggestions?




azure-webappsazure-webapps-authentication
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

ryanchill avatar image
0 Votes"
ryanchill answered fhtino commented

Hi @fhtino, please let me know if you have any other questions down below

is there a way to logout from my webapp without loosing access to other microsoft services.

Short answer is no. Easy Auth simply directs the call to the appropriate provider endpoints. Thusly would say that's the way the provider works. I verified this by signing out onedrive.com and navigating to outlook.com and vice versa. You get the same behavior.

the documentation mentions Google as same behavior but in my tests, when I logout during a visit authenticated by Google, I do not find my self kicked out of Google services. So I suppose documentation is wrong.

I don't believe you can consider that same behavior. Server-side sign-out means your signing out of that service. However, it's still up to the provider however, as you may find similar behaviors when you sign out of AAD.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ryanchill I'm guessing if just deleting the authentication cookie delivered by EasyAuth could be a viable solution. I see that after authentication, I get an "AppServiceAuthSession" cookie. If I manually delete it from Browser F12, I found myself logged-out from the webapp. This is exactly the behavior I was looking for.
So I just created a simple razor page to do the same server-side:

 public class LogoutModel : PageModel
 {
     public IActionResult OnGet()
     {
         Response.Cookies.Delete("AppServiceAuthSession");
         return RedirectToPage("Index");
     }
 }

Another question about the cookie name "AppServiceAuthSession": is it a constant? Or future versions of EasyAuth can change it? I searched for some reference in the documentation but I haven't found it. Any links/hints?




0 Votes 0 ·

@fhtino, AppServiceAuthSession is reliable to use but as always, the future is not foretold so bare that in mind. However, this cookie should get deleted on /.auth/logout.

0 Votes 0 ·

@ryanchill I understand your point about future :)
Regarding /.auth/logout , as I explained in the first message, I do not want to use it because it is too aggressive. It logs me off from my provider.

1 Vote 1 ·