Logout Redirect with Azure B2C and .NET Core

Question

Bear with me since I am fairly new to Azure B2C. My problem is that I can't seem to be able to set a logout redirect uri when logging out of my Azure B2C authenticated app.

Some background info, the app is a .NET core web app with razor pages and had authentication set up through the helper tool in visual studio on the creation of the project.

I can see the default logout button that was generated accesses an asp-area titled "AzureADB2C" with the asp-controller "Account" and the asp-action "SignOut". All of which are hidden in the B2C library that I do not seem to have access to in my solution.

I have tried creating my own logout button that deletes out the auth cookies and then sends a logout request to microsoft with a redirect url attached but that did not seem to work.

This is default logout provided on the creation of the project

<a class="nav-link text-dark" asp-area="AzureADB2C" asp-controller="Account" asp-action="SignOut">Sign out</a>
        </li>

Back-end method I tried to remove auth cookies and reidrect that did not work.

public async Task<RedirectResult> OnPostLogout()
        {
            foreach (var cookieKey in Request.Cookies.Keys)
            {
                Response.Cookies.Delete(cookieKey);
            }

            return new RedirectResult(https://MyApp.azurewebsites.net/.auth/logout?post_logout_redirect_uri=https%3A%2F%2Fgoogle.com);
        }

When I try my own logout button the redirect does not seem to work.

Answer 1

While directing the user to the end_session_endpoint will clear some of the user's single sign-on state with Azure AD B2C, it will not sign the user out of the user's social identity provider (IDP) session. If the user selects the same IDP during a subsequent sign-in, they will be reauthenticated, without entering their credentials. If a user wants to sign out of your B2C application, it does not necessarily mean they want to sign out of their Facebook account entirely. However, in the case of local accounts, the user's session will be ended properly.

When you want to sign the user out of the application, it isn't enough to clear the application's cookies or otherwise end the session with the user. Redirect the user to Azure AD B2C to sign out. If you fail to do so, the user might be able to reauthenticate to your application without entering their credentials again.

You can simply redirect the user to the end_session endpoint that is listed in the OpenID Connect metadata document :

GET https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/oauth2/v2.0/logout?
p=b2c_1_sign_in
&post_logout_redirect_uri=https%3A%2F%2Faadb2cplayground.azurewebsites.net%2F

https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=b2c_1_sign_in

Refer to below doc for further reference

https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-oidc#send-a-sign-out-request

Hope it helps.

Answer 2

You didn't specify if your B2C tenant is set to allow "social" identity providers (eg Google, Facebook, etc.) or only the local one built in the B2C tenant. External IdPs add some significant issues.

In any case, at logout you should redirect to the URL specified on Microsoft's documentation page, which is different than what you're trying:

https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/oauth2/v2.0/logout?p=b2c_1_sign_in&post_logout_redirect_uri=https%3A%2F%2Faadb2cplayground.azurewebsites.net%2F

Since the logout mechanism is browser-based, you can easily see if you get correctly redirected using the browser's dev tools or Fiddler.