Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is it possible to use Single Sign-Out for Azure B2C SPA application? Where do you describe the logout URL #152

Open
xtianus79 opened this issue Jul 4, 2023 · 1 comment
Open

Is it possible to use Single Sign-Out for Azure B2C SPA application? Where do you describe the logout URL #152

xtianus79 opened this issue Jul 4, 2023 · 1 comment

Comments

@xtianus79
Copy link

The Azure B2C documentation states that it supports Single Log Out (SLO) but I can't figure out how this works with a registered SPA application.

If one app is registered in B2C app1.mydomain.com and another app app2.mycomain.com As well, there is a Front-channel logout URL Which is described to be something that will log out the application specifically:

When Azure AD B2C receives the logout request, it uses a front-channel HTML iframe to send an HTTP request to the registered logout URL of each participating application that the user is currently signed in to. Note, the application that triggers the sign-out request will not get this log-out message. Your applications must respond to the sign-out request by clearing the application session that identifies the user.

  • For OpenID Connect and OAuth2 applications, Azure AD B2C sends an HTTP GET request to the registered logout URL.
  • For SAML applications, Azure AD B2C sends a SAML logout request to the registered logout URL.

This is a setting that is in the app registration and for SPA applications there is nothing that you can do to reference the "log out" url.

The front-channel logout URL is predefined as https://<your-tenant-name>.b2clogin.com/<your-tenant-name>.onmicrosoft.com/<PolicyName>/oauth2/v2.0/logout

So if this is supposed to send an HTML iframe to "logout" of the other applications that it knows about. Where can you add the logout URL? It's not in the custom policy or flow.

Other documentation suggest this:

Yes, you need to manually clear the local storage or handle it using your application.

What does that mean? How can we manually clear the cookies if the functionality of the SLO can't work because it is not knowing about the logout URL's of the applications?

Can we edit the front-channel logout URL to our domains i.e. app1.mydomain.com/logout which then would do something to hit the endpoint and then redirect them to the original Front-Channel logout URL?

Or, do we have to run the checks on the token for each app upon browser refresh and silent refresh capabilities of B2C?
@vlmironov
Copy link

vlmironov commented Jan 23, 2024
edited

@xtianus79
This helped me a ton to understand how Single Sign Out works:
https://youtu.be/AmDHni22TVs?si=77DXrYN0XwLS8fk6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xtianus79 @vlmironov