Hello everyone,
I'm facing an issue with Azure AD B2C for which I'm struggling to find a solution.
I have multiple registered applications, each representing a different product. When I log out of one of these applications, I'd like the sessions in the other applications to be invalidated as well. Upon reviewing the documentation, I discovered that the "Front-channel logout URL" could be the solution to my problem. This functionality, when logging out and providing the idTokenHint
, should revoke all sessions of the logged-in user by sending an HTTP GET request. However, this isn't what I'm observing in practice.
To illustrate, I'm using two applications: Application 1, where the login is performed, and Application 2, where the user is already logged in upon accessing it. Both applications can also perform logout. When logging out of either application, the other isn't notified of the logout.
Below are the configurations:
For the second application, I've created an HTTP GET endpoint for validation, and I'm using ngrok to check if Azure AD B2C is indeed calling the endpoint.
Regardless of where the login and logout are performed, the Front-channel is never called. I can log out without issues (when any application attempts to request it, the user needs to log in again, which is the desired behavior.); the problem is that the other application doesn't receive any kind of "notification" that the logout was performed on App 1 and/or App 2, thats keeps the session still active in the other application.
Information about the implementation:
- I followed all the recommendations from the documentation, and my Technical profiles are identical to the recommended ones: here and here.
- I also attempted the implementation from the link, but without success.
- My SUSI policy is using the SingleSignOn method scoped as "Tenant" (doc), EnforceIdTokenHintOnLogout has set as true.
- The Application 1 is using OWIN + .NET FRAMEWORK 4.7 and Application 2 React JS + MSAL.js (
allowRedirectInIframe
has set as true).
- The both applications is sending the
idTokenHint
in the logout request.