Azure AD Auth - log out of specific app/ only?
Question
Here's my logout code (using CakePHP).
public function logout()
{
$this->clearTokens();
$this->Authentication->logout();
return $this->redirect('https://login.microsoftonline.com/' .
Configure::read('Azure.tenantId') . '/oauth2/logout?post_logout_redirect_uri='
. urlencode('https://example.com/'));
}
so the user hits "logout" in the app; it clears some session data; then redirects to Microsoft to log out properly and redirect back again.
this seems to work OK but it logs me out of everything - I was hoping to just log out of the specific application - I've substituted tenantId for appId but doesn't seem to make any difference.
Is this possible?
1 answers
solution1
0 2021-05-03 02:23:00
Your logout behavior is not consistent with the description in the official document .
When you redirect the user to the end_session_endpoint, the Microsoft identity platform clears the user's session from the browser. However, the user may still be signed in to other applications that use Microsoft accounts for authentication. To enable those applications to sign the user out simultaneously, the Microsoft identity platform sends an HTTP GET request to the registered LogoutUrl of all the applications that the user is currently signed in to.
In other words, just calling the /logout?post_logout_redirect_uri={0} endpoint is not enough to log your users out of all Applications. You still need to set the LogoutUrl from the app registration portal and implement such a LogoutUrl in your application's code to support single sign-out in your application.
Make sure you remove the LogoutUrl part in your configuration and it won't log you out from everywhere.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.