2

I have an Azure App Service Authentication / Authorization configured to use to sign in with Microsoft (aka Easy Auth). Everything works great. However I'm confused about the logout behavior. If I go to myapp/.auth/logout I am definitely logged out since I no longer see the X-MS-CLIENT... headers on requests.

Then I go to /.auth/login/microsoftaccount but instead of getting prompted for credentials I am automagically signed in with the previous account. It is nice many times but I am trying to test users with different permissions. If I start a new private browser I am prompted every time as I expect.

I must have missed something either at logout or a login parameter to enable a re-prompt. Can someone help me understand what I missed here?

Easy Auth docs https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization

No Refunds No Returns
  • 8,092
  • 4
  • 32
  • 43
  • I should note that Edge browser behaves as I expect. Logging out, then logging in again prompts me to select the identity. Chrome ... not so much. Any ideas still appreciated. However measured or far away. – No Refunds No Returns Aug 10 '19 at 05:31

1 Answers1

0

We suspect that the logout is working correctly. You are not prompt for login because of SSO.

Certain identity providers support what’s called “server-side logout”. AAD supports this, but MSA does not (at least not programmatically). Server-side logout ensures that you also terminate the SSO session, which is why logging out from an AAD app will always require the user to re-enter credentials.

If you want to login with different users, you can try to force a login prompt.

{site}/.auth/login/microsoftaccount?prompt=login
Tony Ju
  • 14,891
  • 3
  • 17
  • 31
  • See my comment in my original q. Edge behaves as I expect -- I get prompted for and can use any valid credential. However Chrome just silently signs in with whatever last credential I used. Only if I blast all my Chrome cookies do I get prompted again. It seems like something is missing from the Azure Authentication docs about what do to after logout. I haven't had a chance to trace the cookies before and after to see what Edge is doing that Chrome is not. – No Refunds No Returns Aug 21 '19 at 13:12
  • The suggestion in this answer did not work using Chrome – No Refunds No Returns Aug 21 '19 at 13:13