question

RajeshNaik-4247 avatar image
0 Votes"
RajeshNaik-4247 asked

B2C - Cannot logout from IDP when two B2C tenants are involved.

Hello,

We have a special design of B2C tenants as shown below to support large number of customers,

135442-screenshot-2021-09-27-at-103959-am.png



With this design authentication flow works perfectly fine, where application requests for authentication with the frontend tenant, frontend forwards request to backend tenant and later backend to idp.

metadata url used for federating from frontend b2c tenant to backend b2c tenant: https://backendTenant.b2clogin.com/backendTenant.onmicrosoft.com/B2C_1A_signin/v2.0/.well-known/openid-configuration

We are facing an issue during a logout,

  1. where application sends the logout request to frontend tenant - https://frontendTenant.b2clogin.com/frontendTenant.onmicrosoft.com/B2C_1A_signin/oauth2/v2.0/logout?p=B2C_1A_signin&&post_logout_redirect_uri=http://localhost:5001

  2. Frontend sends logout request to backend tenant - https://backendTenant.b2clogin.com/backendTenant.onmicrosoft.com/b2c_1a_signin_group_1/oauth2/v2.0/logout

  3. Application post logout url called


If we observe here, the backend tenant logout request doesn't contain, post_logout_redirect_uri field hence backend b2c tenant is not making IDP logout request. Because of which IDP session is not getting cleared.

My questions,

  • How can we make frontend tenant to send same post_logout_redirect_uri field to backend logout request?

  • I tried setting explicit end_session_endpoint in the technical profile but how to capture the original logout request and extract the post_redirect_uri


azure-ad-b2c
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

0 Answers