5

I am using the following method to implement logout functionality for Azure Web App.

I am using the url https://login.microsoftonline.com/{0}/oauth2/logout?post_logout_redirect_uri={1} where {0} is the Azure AD url and {1} is the web app url.

Sample url: https://login.microsoftonline.com/myazuread.onmicrosoft.com/oauth2/logout?post_logout_redirect_uri=http://myazurewebapp.azurewebsites.net

This gives me the output stating

You signed out of your account

It's a good idea to close all browser windows."

But when I put the site url on the browser the user goes through without going through authentication. I have also added code for expiring the cookies, but it's not helping. After signout I want the user to be redirected to the login page and also the user should have to go through authentication for logging in.

Bruce Chen
  • 18,207
  • 2
  • 21
  • 35
Sam Ganguly
  • 77
  • 1
  • 5
  • Are you using the built-in [authentication and authorization](https://learn.microsoft.com/en-us/azure/app-service-api/app-service-api-authentication) services provided by Azure App Service? Have a look at this [issue](http://stackoverflow.com/questions/39386633/how-to-signout-from-an-azure-application) and [issue](http://stackoverflow.com/questions/32592787/owin-authentication-signout-doesnt-remove-cookies). – Bruce Chen Feb 14 '17 at 09:19
  • @Bruce .. Yes we are using the built-in authentication and authorization services provided by Azure App Service. We have tried these links . but no luck ! – Sam Ganguly Feb 14 '17 at 12:57
  • In this scenario, there will be 2 cookies set for the logged in user. One cookie for 'login.microsoftonline.com' and one for your site. It is not clear in your post which cookie is at fault for logging in the user again. Hitting the 'logout' url should wipe the cookie for the login endpoint, but you then need to make sure that you are also writing code to remove the cookie for your web app. – Shawn Tabrizi Feb 14 '17 at 20:52

4 Answers4

1

According to your description, I have created a new ASP.NET Web Application that doesn't require any user authentication, then I followed this tutorial for configuring my web app to use AAD login.

To restrict access to your site to only users authenticated by Azure Active Directory, set Action to take when request is not authenticated to Log in with Azure Active Directory.

When a user has logged in, you could find a cookie named AppServiceAuthSession as follows:

enter image description here

For a simple way to log out, you could just call https://{your-webapp-name}.azurewebsites.net/.auth/logout, this in-build endpoint would clear your browser cookies first, then redirect you to process the log out at Azure AD end as follows:

enter image description here

When the log out operation is finished at Azure AD side, the browser would redirect you to the post_logout_redirect_uri(/.auth/logout/complete by default) as follows:

enter image description here

In summary, please leverage fiddler to capture the requests when performing log out in your web app, and try to see whether the cookie AppServiceAuthSession has been removed after you logged out.

Bruce Chen
  • 18,207
  • 2
  • 21
  • 35
  • I have tried this method already. The page is redirected to the log out page . But if i again put the homepage url , i get redirected to the page without going through authentication . I have checked the cookies in browser . Cookies for my web app are shown as deleted once i hit the url . But cookie for 'login.microsoftonline.com' are still there . – Sam Ganguly Feb 15 '17 at 09:46
  • Are you mean you have checked that `AppServiceAuthSession` cookie has been removed from your browser after you logged out? As I known, if 'AppServiceAuthSession' is removed, then user need to sign in. Are you using [URL Authorization Rules](https://blogs.msdn.microsoft.com/appserviceteam/2016/11/17/url-authorization-rules/)? – Bruce Chen Feb 15 '17 at 10:18
  • Have you set **Action to take when request is not authenticated** to **AD** when the request is not authenticated under the "Authentication/Authorization" blade of your web app? – Bruce Chen Feb 15 '17 at 10:21
  • no. I am not using any Action to take when request is not authenticated to AD . I have checked in chrome . That AppServiceAuthSession is deleted. – Sam Ganguly Feb 15 '17 at 10:57
0

@Bruce . No i am not using any URL authentication rules . let me tell you whats happening step by step . 1)I have used the same url u have provieded as log out url . 2) Page is redirecting to the https://login.microsoftonline.com/myazuread.onmicrosoft.com/oauth2/logout?post_logout_redirect_uri=https://mywebapp.azurewebsites.net/.auth/login/aad/callback . Its not getting redirected to the default logout page.

Image of cookies on the page after redirecting to logout url 3)If i navigate to the default logout page (/.auth/logout/complete) and click on "Return to website" for a brief moment it redirects to the azure ad login page //login.microsoftonline.com/dcc17943-54b6-4bc7-b284-71d39f03aeb0/oauth2/authorize?response_type=id_token&redirect_uri=https%3A%2F%2Fmywebapp.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&client_id=1ab2f820-2ca0-4a78-bfea-c849b91d339d&scope=openid+profile+email&response_mode=form_post&state=redir%3D%252F%26b2cPolicy%3D&nonce=d74940629d5e434eb6454648d33f371d_20170215104002 . Seems like it gets authenticated there automatically . And then redirects to the home page . I have deleted cookies manually too . Still the same result .

Sam Ganguly
  • 77
  • 1
  • 5
  • Your `post_logout_redirect_uri' is incorrect, `.auth/login/aad/callback` is used as login callback. According to your scenario, when your access `/.auth/logout`, `AppServiceAuthSession` is successfully cleared, I assumed that the log out operation is not finished correctly at Azure AD side, then when you access your site and you would redirect to aad login page and get authenticated automatically. – Bruce Chen Feb 16 '17 at 02:38
  • Please try to leverage `https://{your-webapp-name}.azurewebsites.net/.auth/logout?post_logout_redirect_uri=/.auth/logout/complete` or `https://{your-webapp-name}.azurewebsites.net/.auth/logout?post_logout_redirect_uri={your-custom-page}` as logout url to test your logout operation. Also, please follow this [tutorial](https://learn.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-how-to-configure-active-directory-authentication?toc=%2fazure%2fapp-service%2ftoc.json) to check your registered application with AAD. – Bruce Chen Feb 16 '17 at 02:38
  • I have used exactly the same url https://{your-webapp-name}.azurewebsites.net/.auth/logout?po‌​st_logout_redirect_u‌​ri=/.auth/logout/com‌​plete and AppServiceAuthSession is successfully cleared.But it doesn't clear the cookies for https://login.microsoftonline.com/. That's where the problem is. If i manually delete the cookies i get the login screen . But if i don't the home page url briefly goes through login page and authenticates itself using the browser cookies and doesn't ask for any authentication from user. – Sam Ganguly Feb 16 '17 at 04:28
  • When you calling `/.auth/logout?po‌​‌​st_logout_redirect‌​_u‌​ri={custom-page}`, does the browser would redirect you to the configured `po‌​‌​st_logout_redirect‌​_u‌​ri` automatically? As I known, it is impossible for you to clear cookie from another domain in the front-end (via js), if the logout operation is successfully executed at AD side, the response would set the cookie for `login.microsoftonline.com` in your browser, then user need to login again. Have you tried to use other browser to test this issue? – Bruce Chen Feb 16 '17 at 05:02
  • No the browser doesn't redirect me to the po‌​‌​st_logout_redirect‌​_u‌​ri . I have tried this in IE 11 and Chrome both . Same result. And you are right . I don't thinks its possible to clear cookie from other domain via js . – Sam Ganguly Feb 16 '17 at 07:22
  • What management node are you using Express or Advanced under `Authentication/Authorization` blade of your web app? I assumed that there be something wrong with your configuration, please try to follow [How to configure your App Service application to use Azure Active Directory login](https://learn.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-how-to-configure-active-directory-authentication?toc=%2fazure%2fapp-service%2ftoc.json) again to check your settings. Also, you could try to register a new app with AAD to isolate this issue. – Bruce Chen Feb 16 '17 at 07:40
  • I am using Authentication/Authorization under Advanced .Authentication works fine . I followed the same link you have added in the previous comment . I am using a separate App Registration for this as well . – Sam Ganguly Feb 16 '17 at 08:18
0

@Bruce I found something . If i manually delete all the cookies from chrome://settings/cookies and then redirect the page then it works . Can i do it programatically ? using javascript or C#

Sam Ganguly
  • 77
  • 1
  • 5
0

One reason that your post logout redirection is not working might be beacuse of this Azure AD behavior that caused issues in my case:

  • It doens't work for root accounts of the tenant, that is my personal account, which created Azure subscription.
  • But it works for new accounts I created inside of my subscription.
Jan Muncinsky
  • 4,282
  • 4
  • 22
  • 40