We have a special design of B2C tenants as shown below to support large number of customers,
With this design authentication flow works perfectly fine, where application requests for authentication with the frontend tenant, frontend forwards request to backend tenant and later backend to idp.
metadata url used for federating from frontend b2c tenant to backend b2c tenant: https://backendTenant.b2clogin.com/backendTenant.onmicrosoft.com/B2C_1A_signin/v2.0/.well-known/openid-configuration
We are facing an issue during a logout,
where application sends the logout request to frontend tenant - https://frontendTenant.b2clogin.com/frontendTenant.onmicrosoft.com/B2C_1A_signin/oauth2/v2.0/logout?p=B2C_1A_signin&&post_logout_redirect_uri=http://localhost:5001
Frontend sends logout request to backend tenant - https://backendTenant.b2clogin.com/backendTenant.onmicrosoft.com/b2c_1a_signin_group_1/oauth2/v2.0/logout
Application post logout url called
If we observe here, the backend tenant logout request doesn't contain,
post_logout_redirect_uri field hence backend b2c tenant is not making IDP logout request. Because of which IDP session is not getting cleared.
How can we make frontend tenant to send same
post_logout_redirect_urifield to backend logout request?
I tried setting explicit
end_session_endpointin the technical profile but how to capture the original logout request and extract the