This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 47%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJR%3C/text%3E%3C/svg%3E)
Hello everyone,
I'm facing an issue with Azure AD B2C for which I'm struggling to find a solution.
I have multiple registered applications, each representing a different product. When I log out of one of these applications, I'd like the sessions in the other applications to be invalidated as well. Upon reviewing the documentation, I discovered that the "Front-channel logout URL" could be the solution to my problem. This functionality, when logging out and providing the idTokenHint, should revoke all sessions of the logged-in user by sending an HTTP GET request. However, this isn't what I'm observing in practice.
To illustrate, I'm using two applications: Application 1, where the login is performed, and Application 2, where the user is already logged in upon accessing it. Both applications can also perform logout. When logging out of either application, the other isn't notified of the logout.
Below are the configurations:
For the second application, I've created an HTTP GET endpoint for validation, and I'm using ngrok to check if Azure AD B2C is indeed calling the endpoint.
Regardless of where the login and logout are performed, the Front-channel is never called. I can log out without issues (when any application attempts to request it, the user needs to log in again, which is the desired behavior.); the problem is that the other application doesn't receive any kind of "notification" that the logout was performed on App 1 and/or App 2, thats keeps the session still active in the other application.
Information about the implementation:
allowRedirectInIframe has set as true).idTokenHint in the logout request.![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 45%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi @Juliano Roberto da Silva Biffi
Thank you for reaching out to us!
I understand that you're facing an issue with Azure AD B2C's front-channel logout URL. You have multiple registered applications, and when you log out of one application, you would like the sessions in the other applications to be invalidated as well.
This scenario can occur when several applications are registered within the same Azure AD B2C tenant, and each application has its own front-channel logout URL.
To resolve the issue, use a single front-channel logout URL for all applications that use the same Azure AD B2C tenant. This can be achieved by configuring the Azure AD B2C tenant to use a single front-channel logout URL for all applications.
Hope this helps. Do let us know if you any further queries.
Thanks,
Akhilesh.
If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Hello Akhilesh, thank you very much for the anwer!
Basically, you're recommending that all my applications should use the same logout URL. But how would that work? Considering that each application is a different product with different source codes and in different languages, I don't understand how that would solve the problem.
One way I see based on your response would be to centralize the logout in one application. For example, if application 2 wants to log out, it should access https://app1.com/Account/SignOut instead of accessing https://{tenantname}.b2clogin.com/{tenantname}.onmicrosoft.com/{susi}/oauth2/v2.0/logout. This would solve the problem, but it doesn't make sense to delegate such responsibility to application 1, since it would be responsible for logging out of all applications. The documentation specifies that Azure AD B2C sends an HTTP GET request to the registered logout route, I just can't understand why it's not working.
Hi @Juliano Roberto da Silva Biffi
To approach your ask below is the flow
User logs into App1 and App2. Azure AD B2C remembers that the user is logged into both apps
Please refer the following link which is explained about Single Sign Out
Single Sign Out (Single Logout) with Azure AD B2C
When Application 1 or 2 logged out, I observed in the network inspection tab that Azure AD B2C was not calling the configured URLs. After deleting all my policies and waiting for the cache to clear, I re-uploaded the policies without any changes, and the problem was resolved.
If you are experiencing a similar issue, consider the following actions:
Thaks for your support Akhilesh!