Azure AD B2C Front-channel logout URL Not Working

[JulianoBiffi]

Hello everyone,

I'm facing an issue with Azure AD B2C for which I'm struggling to find a solution.

I have multiple registered applications, each representing a different product. When I log out of one of these applications, I'd like the sessions in the other applications to be invalidated as well. Upon reviewing the documentation, I discovered that the "Front-channel logout URL" could be the solution to my problem. This functionality, when logging out and providing the idTokenHint, should revoke all sessions of the logged-in user by sending an HTTP GET request. However, this isn't what I'm observing in practice.

To illustrate, I'm using two applications: Application 1, where the login is performed, and Application 2, where the user is already logged in upon accessing it. Both applications can also perform logout. When logging out of either application, the other isn't notified of the logout.

Below are the configurations:

For the second application, I've created an HTTP GET endpoint for validation, and I'm using ngrok to check if Azure AD B2C is indeed calling the endpoint.

Regardless of where the login and logout are performed, the Front-channel is never called. I can log out without issues (when any application attempts to request it, the user needs to log in again, which is the desired behavior.); the problem is that the other application doesn't receive any kind of "notification" that the logout was performed on App 1 and/or App 2, thats keeps the session still active in the other application.

Information about the implementation:

• I followed all the recommendations from the documentation, and my Technical profiles are identical to the recommended ones: here and here.
• I also attempted the implementation from the link, but without success.
• My SUSI policy is using the SingleSignOn method scoped as "Tenant" (doc), EnforceIdTokenHintOnLogout has set as true.
• The Application 1 is using OWIN + .NET FRAMEWORK 4.7 and Application 2 React JS + MSAL.js (allowRedirectInIframe has set as true).
• The both applications is sending the idTokenHint in the logout request.

[JulianoBiffi]

When Application 1 or 2 logged out, I observed in the network inspection tab that Azure AD B2C was not calling the configured URLs. After deleting all my policies and waiting for the cache to clear, I re-uploaded the policies without any changes, and the problem was resolved.

If you are experiencing a similar issue, consider the following actions:

• Delete all policies, wait for the Azure AD B2C cache to update, and re-upload the policies.
• Verify that the configured URLs are correct.
• Ensure that the endpoint you created only clears the cache of your application and does not perform any redirection.

[josefernandezatceiba]

i meant the user flows, in my case i'm using predefined user flows, i modified the apps adding the front-channel logout url and it did not work (it's been 24 hours), i had hopes of letting it replicate the changes so i would not have to delete the user flows i already had. Gonna try creating new ones and if it doesn't work then i'll delete and start from scratch.

[josefernandezatceiba]

should i delete my app registrations as well ? and add them back with the front-channel url again ?

[JulianoBiffi]

In theory, the use of 'user flows' should facilitate its implementation. Make sure your single sign-on configurations are correct by following the documentation.

About deleting all your applications, I don’t believe it will solve the issue (at least it didn’t for me).

Here are some tips that may help you along the way:

1. Make sure both of your applications are making the login request correctly. I noticed that the logout is only called to app when the login request scopes include offline_access (and the app is configured with the "Front-channel logout URL" in the Azure portal), this scope also track the user at Azure AD B2C | Users > User > Audit Logs, apparently it’s responsible for notifying Azure AD B2C that the token will have to go through the refresh token flow source. The scopes "openid", "offline_access" is default to my all applications.
2. Your logout request cannot perform any redirect.
3. Check if your browser tab is persisting the logs and no filters are selected.

Here’s a screenshot of my Mozilla inspection tab, and the flow is as follows:

• The login is performed in App 1 and then in App 2.
• App 1 logs out using the Signout method (clears the current session and makes the logout request to Azure AD B2C).
• It calls the "Front-channel logout URL" of App 1 and then calls the "Front-channel logout URL" of App 2.

[josefernandezatceiba]

1. i have an spa, so the offline_access scope might not be necessary.
2. i'm debugging both apps and i have breakpoints on the front-channel url (neither do redirect)
3. i'm persisting the logs, no filters

[JulianoBiffi]

I really don't know what could be happening. Regarding the offline_access scope, SPAs don't require it, but mine only worked after I added it. Something that might help you, which you probably already know, is that local URLs aren't called, so this could be a potential issue you're facing. If that's the case, I recommend using ngrok for debugging (he create a publicly accessible HTTPS URL that forwards requests to your local host).

I have no idea what else I can add, it took me 2 weeks to solve the problem in question. Don't forget to post the solution here when you find it. Maybe our conversation will help others.

May the force be with you!