Azure AD B2C - Sign out a user from all sessions

azure azure-ad-b2c azure-active-directory azure-ad-graph-api
15,074

Solution 1

I might be late. But if that helps. A.c to docs

When you redirect the user to the Azure AD B2C sign-out endpoint (for both OAuth2 and SAML protocols), Azure AD B2C clears the user's session from the browser. However, the user might still be signed in to other applications that use Azure AD B2C for authentication. To enable those applications to sign the user out simultaneously, Azure AD B2C sends an HTTP GET request to the registered LogoutUrl of all the applications that the user is currently signed in to.

Applications must respond to this request by clearing any session that identifies the user and returning a 200 response. If you want to support single sign-out in your application, you must implement a LogoutUrl in your application's code.

This is called single sign out . Please refer to https://docs.microsoft.com/en-us/azure/active-directory-b2c/session-overview#single-sign-out

Solution 2

According the description on Azure Document:

While directing the user to the end_session_endpoint will clear some of the user's single sign-on state with Azure AD B2C, it will not sign the user out of the user's social identity provider (IDP) session. If the user selects the same IDP during a subsequent sign-in, they will be reauthenticated, without entering their credentials. If a user wants to sign out of your B2C application, it does not necessarily mean they want to sign out of their Facebook account entirely. However, in the case of local accounts, the user's session will be ended properly.

So you can directly use the end_session_endpoint. You can find it in the metadata document for the b2c_1_sign_in policy endpoint, e.g.:

https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=b2c_1_sign_in

You can refer to Azure Active Directory B2C: Web sign-in with OpenID Connect for more info.

Any further concern, please feel free to let me know.

Solution 3

Microsoft has an API for this by now. I link to the following blog, as the documentation is currently wrong.

microsoft developer blog: revokeSignInSessions & invalidateAllRefreshTokens

Request 
POST https://graph.microsoft.com/beta/users/{id}/revokeSignInSessions 

Response  
HTTP/1.1 204 No Content
Share:
15,074
gfyans
Author by

gfyans

Updated on June 04, 2022

Comments

  • gfyans
    gfyans almost 2 years

    I have 3 websites using a single B2C tenant. I have been asked to set it up so that when a user signs out of one website, sign out of them all.

    Likewise if their account is deleted.

    I thought that I would have to introduce a call to Azure on every request to determine if the user is still logged in, but as far as I can see, there isn't a Graph API endpoint that would allow me to determine the user status.

    Am I thinking about this the wrong way? Is there a way to do this easily using B2C, Graph API, the Active Directory client etc.?

    Maybe there is an option when setting up the OpenIdConnectAuthenticationOptions for example.

  • gfyans
    gfyans over 7 years
    This is what I'm doing, but it still keeps me signed in to other applications until the session expires. I take it I'll need to do a manual check on every request to an API endpoint to determine if I'm still logged in, and if not destroy the session?
  • Chrift
    Chrift almost 5 years
    I am currently trying to do this. I am unable to sign users out from other signed in applications.
  • gfyans
    gfyans almost 4 years
    Although I'm no longer in a position to try it, this sounds like the answer to me.
  • Jeremy
    Jeremy about 3 years
    Correct me if I'm wrong, but this will work for the same browser correct? If the user is logged in on different browsers or devices, how can single sign out be implemented across those as well?
  • Random Guy
    Random Guy about 2 years
    This must be the answer! Just head to Graph Explorer, and you're good to go developer.microsoft.com/en-us/graph/graph-explorer
  • milorad
    milorad almost 2 years
    Do you have an idea where the social account selection data is stored? In my case I do a logout by clearing the cache, upon next login I am presented with a screen to enter my credentials and then when I click on the Sign in with Microsoft I am immediately redirected to the application (whereas on initial login with microsoft I had to make a choice with which Microsoft account do I want to login). How can I force this account selection? (several places mention prompt=account_select but I have no clue where to configure this, in the policy, in the application, or as a part of the URL)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

On premise Active Directory ObjectId is different than Azure Active Directory ObjectId
Unable to get bearer token from Azure AD to use with API App
Azure AD B2C password expiration
Find a User by Email Address
Remove old proxyaddress entry for user in azure active directory
Azure AD vs Azure AD B2C vs Azure AD B2B
Graph API - Insufficient privileges to complete the operation
Invalid request. Request is malformed or invalid. While getting Access Token From Azure
how to get user profile with azure ad in flutter
Flutter app: How to implement a proper logout function?