Image @AskLeo

How to Logout from Azure B2C on all Services correctly

Security Nov 24, 2022

Azure B2C is an enterprise-scale B2C System. It comes with different tiers and also a free tier, so that will be interesting for every developer that wants authentication support with Facebook, Google, Amazon, or other Identity providers (IDP).

Most developers will generate a Login Flow and get the Token. When he wants to log out, he must only clear the cookie that will be created and remove the session from the browser cache. Then the current user is logged out. This scenario is a common scenario for many applications. Still, a few enterprise applications will act as a single point of entry and will then "redirect" to other services in your architecture.

The solution above (delete the cookie and remove the session) will not work.

The problem in multiapplication architecture

Let's assume you have an application as a "portal" that will redirect to some other services. This service will support single sign-on (SSO) through our application.

So now the user (User A) will get logged in, navigate through your other service, and will be signed in automatically. After a while, the user will go to your portal application again and sign out. Next on the same machine, a colleague (User B) will log on to the portal. After this, he will navigate to the service again and then you will recognize that User A was signed in instead of User B.

What happened here?

In your portal, you have removed only your authentication information from your portal. But the other service generated a separate cookie too. This cookie was not deleted by your code, so the service will keep the first logged-in user. Only when you actively sign off from the target system, you will get logged off.

"What? I must go through each portal to sign off?" you will ask now?  

Technically yes, because every system does its own logout routine. So it will be better to call this sign-off function.

Azure B2C Solution 1

Instead of navigating through each logout URL of each service,  Azure B2C hosts a single endpoint for this logout routine. Microsoft has a documentation page about this Url. So in simple, you must navigate through this URL

https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/logout?post_logout_redirect_uri=https%3A%2F%2Fjwt.ms%2

What Azure B2C then will do is create on the Azure B2C Logoutpage a hidden Iframe. In this, it will navigate through each registered application and will call the defined logout URL. Once it is done, it will redirect you to the URL given by the parameter post_logout_redirect_uri.

Azure B2C Solution 2

Instead of waiting for the redirect and so on, you can do it asynchronously by calling a graph API method to revoke all login sessions for the current (or a specific) user.

When you want to logout by yourself and revoke your own session, you will be able to call only

https://graph.microsoft.com/beta/me/invalidateAllRefreshTokens

Please pay attention to delivering an actual OAuth token in the Authorization header for the current user. After the call is successful you will get an HTTP 204 back. That means that your call was successful.

The Graph API will give you also the possibility to log out a specific user by modifying the URL like this

https://graph.microsoft.com/beta/users/{id | userPrincipalName}/invalidateAllRefreshTokens

Instead of "Me" you will set the internal known user id to identify which session to revoke.

Conclusion

Yes Single Sign On works very well, it is quickly configured and it works then. But when you work with multiple applications you will get faced with a logout problem. This problem will prevent Azure B2C nice and smooth with the logout process. But when you want full control of the user sessions, you will be able to do this via the Office Graph API.

Tags