Azure AD Logout URL not redirecting

Question

I am building the following URL

https://login.microsoftonline.com/<tenantid>/oauth2/logout?client_id=<clientId>&post_logout_redirect_uri=<encodedurl>

It looks something like

https://login.microsoftonline.com/f4aaf6e1-ffff-ffff-bb63-4e8ebf728113/oauth2/logout?client_id=f562b4e3-ffff-ffff-b4bb-49ca64216e75&post_logout_redirect_uri=https%3A%2F%2Fmyazureapp.azurewebsites.net

It logs me out but does not redirect me back to my app

Like this URL does for azure

https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri=https%3a%2f%2fmanage.windowsazure.com%2fSignOut%2fComplete

I have looked at the suggested related Q's and I have tried a few variations.

Edit it turned out to be an intermitted issue which I guess was due to some cookies / other state not be reset when I was doing my dev / test cycles. With a fresh browser it works. When it works the sign out screen says something like "Hang on a moment while we sign you out" then it redirects, when it does not work the screen says "you have been signed out, please close your browser"

score 9 · Answer 1 · answered Aug 29 '17 at 14:46

9

Set the Logout URL property in your AD application.

Log into the AAD admin center portal
Go to App registrations as shown
Select your AD application
Go to Properties
Update your intended application logout redirection URL as shown
Save

answered Aug 29 '17 at 14:46

juvchan

6,113
2
22
35

I checked this, BUT I would double check :) – Steve Drake Aug 29 '17 at 18:02
see my edit, I have this set to blank and its working. I am using JWT to auth so when I sign out I hit Azure then hit my page which clears the JWT tokens. – Steve Drake Aug 30 '17 at 09:42
2

i think the Logout URL is how Azure tells your application when another application has logged out and that log out should be propagated to all other apps using the same token: https://learn.microsoft.com/bs-latn-ba/azure/active-directory/develop/v1-protocols-openid-connect-code?view=azureelasticdbjobsps-0.8.33#single-sign-out – Matt Felzani Mar 05 '19 at 20:32
3

Since the example above uses `localhost`, bear in mind that (at the time of writing) the Azure Portal doesn't allow to use `http://localhost` for Logout URL, and requires a URL starting with `https`. – Devis L. Aug 06 '19 at 19:17

score 2 · Answer 2 · answered Jan 17 '19 at 13:48

2

I had this issue aswell, what worked for me is:

I added my logout URL in the properties, and as reply URL aswell.
The logout button has the following href:

https://login.windows.net/<tenant_id_of_your_app>/oauth2/logout?post_logout_redirect_uri=<logout_URL_of_your_app>/logout

answered Jan 17 '19 at 13:48

tnh98

21
2

what changes did you do to the manifest ? could you please explain. – Avin Mathew Jan 11 '21 at 06:02

score 1 · Answer 3 · answered Aug 30 '17 at 03:24

1

I am assume you were using the OpenIDConnect flow and want to sign user out. To ensure the redirection from Azure AD to the URL we specify with post_logout_redirect_uri parameter, we need to register in the Reply URLs of app register on the Azure portal.

After that, we also need to ensure that the users are sign-in out in Azure AD successfully. For example, we sign-in the user after that we sign-out the user. This time the redirect should work expected. Then we send a sign-out request again, then this time the redirection will not work since the user already be sign-out.

In-addition, there is no need to provide the client_id parameter for the request to end_session_endpoint via OpenIdConnect flow. More detail about this OpenIdConnect, you can refer the document below:

Authorize access to web applications using OpenID Connect and Azure Active Directory

answered Aug 30 '17 at 03:24

Fei Xue

14,369
1
19
27

1

I did have the URL registered in my *Reply URLs* although I am not sure they're needed for the signout process (tested with random same orgin URLs and it works), for example with the AZURE page you can just nav to https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri=https%3a%2f%2fmanage.windowsazure.com%2fSignOut%2fCompleteX (note the X) , it will signout, then challenge you to sign it and then you got a 404 as CompleteX does not exist. It does need to be the same origin though you cannot send it to google for example. Maybe the origin is matched with replyurls – Steve Drake Aug 30 '17 at 09:41
The **X** will not affect this behavior, since the redirection only determined by the domain. For example, if replace this URL with a incorrect domain like `http://test.com'(the browser determine the server by domain) it will stay on the sign-out page. And if you want after users sign-out it will redirect to the site `https%3A%2F%2Fmyazureapp.azurewebsites.net` You should resigter it as the **Reply URLs** of your apps. Please let me know if it helps. – Fei Xue Aug 31 '17 at 07:16
By adding the URL to the reply urls the logout redirection started working. – carraua Jan 09 '19 at 14:19
@carraua can you please tell me a format of the url you put – Avin Mathew Jan 11 '21 at 06:04

Yogesh Patil · Answer 4 · 2022-04-07T05:34:28.153

1

Below logout url works for me , without configuring logout URL in azure app. [Front-channel logout URL]

https://login.microsoftonline.com/{TenantID}/oauth2/v2.0/logout?post_logout_redirect_uri={baseurlOfdWebsite}

here baseurlOfdWebsite should be URL Encoded

edited Apr 07 '22 at 05:34

answered Mar 31 '22 at 17:06

Yogesh Patil

151
1
6

score 0 · Answer 5 · answered May 15 '21 at 13:55

With Python, Flask and MSAL 2.0 I did the following:

@app.route("/logout")
def logout():
    logout_user()
    if session.get("user"):  # Used MS Login
        # Wipe out user and its token cache from session
        session.clear()
        # Also logout from your tenant's web session
        redirect(
            Config.AUTHORITY
            + "/oauth2/v2.0/logout"
            + "?post_logout_redirect_uri="
            + url_for("login", _external=True, _scheme="https")
        )
    app.logger.info("Logging user out.")
    return redirect(url_for("login"))

In Azure Portal configured my endpoints like this:

Environment variables are configured like this

# Oauth - Azure Active Directory and MSAL
export CLIENT_SECRET=<your-client-secret>
export CLIENT_ID=<your-client-id>
export REDIRECT_PATH=/getAToken
export SESSION_TYPE=filesystem
export AUTHORITY=https://login.microsoftonline.com/common
export SCOPE=User.Read
export SESSION_TYPE=filesystem

config.py file

import os

from dotenv import load_dotenv

basedir = os.path.abspath(os.path.dirname(__file__))
load_dotenv(os.path.join(basedir, ".env"))


class Config(object):
    ### Info for MS Authentication ###
    ### As adapted from: https://github.com/Azure-Samples/ms-identity-python-webapp ###
    CLIENT_SECRET = os.environ.get("CLIENT_SECRET")
    # In your production app, Microsoft recommends you to use other ways to store your secret,
    # such as KeyVault, or environment variable as described in Flask's documentation here:
    # https://flask.palletsprojects.com/en/1.1.x/config/#configuring-from-environment-variables
    # CLIENT_SECRET = os.getenv("CLIENT_SECRET")
    # if not CLIENT_SECRET:
    #     raise ValueError("Need to define CLIENT_SECRET environment variable")

    AUTHORITY = os.environ.get("AUTHORITY")  # For multi-tenant app, else put tenant name
    # AUTHORITY = "https://login.microsoftonline.com/Enter_the_Tenant_Name_Here"

    CLIENT_ID = os.environ.get("CLIENT_ID")  #

    REDIRECT_PATH = os.environ.get(
        "REDIRECT_PATH"
    )  #  Used to form an absolute URL; must match to app's redirect_uri set in AAD

    # You can find the proper permission names from this document
    # https://learn.microsoft.com/en-us/graph/permissions-reference
    SCOPE = [os.environ.get("SCOPE")]  # Only need to read user profile for this app

    SESSION_TYPE = os.environ.get(
        "SESSION_TYPE"
    )  # Token cache will be stored in server-side session

Azure AD Logout URL not redirecting

5 Answers5

Linked