Safari retaining AD B2C session after calling logout endpoint

Question

I'm seeing an issue specifically with Safari whereby a user session is retained, even after logging out. See the steps below (endpoints called by a SPA):

1. Log in and provide credentials by calling:

   GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize? client_id=90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6 &response_type=id_token &redirect_uri=https%3A%2F%2Fjwt.ms%2F &response_mode=fragment &scope=openid &nonce={nonce}

Once user has successfully authenticated, they are redirected back to the application with an id token which can then be exchanged for an access token etc.

Whilst authenticated, the application provides a Logout link for the user, which when used will do the next step..

2. End session by redirecting client to:

   GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/logout?post_logout_redirect_uri={appUrl}

User is then redirected back to application login page.

The issue is that if the user then logs in again (first step), the AD B2C service redirects the user straight back to the application with an id token without asking them to log in again. This is happening in Safari only. It even happens after closing the browser and re-opening.

Is there something I'm missing here? I'm following the docs here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/openid-connect#send-a-sign-out-request

Answer 1

If the users are signing in with local accounts then the user's sessions will be cleared, but if they are using social identities they may not be signed out.

If the user wants to sign out of your B2C app, it does not necessarily mean that the user wants to sign out of their external identity provider such as Google or Facebook.

If you are directing the user to the end_session_endpoint , it will clear some of the user's single sign-on state with B2C, but it will not sign the user out of the user's social identity provider (IDP) session. The user will be reauthenticated without entering their credentials if they select the same IDP during a subsequent sign-in.

Check OpenID Connect document

(or)

The issue maybe with AzureAD's Safari compatibility ,where Apple may not properly send cookies to login.microsoftonline.

If you are using ASP.NET Core Identity try to disable the protection by configuring cookies with the following code

services.ConfigureExternalCookie(options =>
{
    // Other options
    options.Cookie.SameSite = SameSiteMode.None;
});
services.ConfigureApplicationCookie(options =>
{
    // Other options
    options.Cookie.SameSite = SameSiteMode.None;
});

If you are using cookie authentication without ASP.NET Core identity you can turn off the protection with the following code

services.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
{
    // Other options
    options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None;
})

References:

1. Configure session behavior - Azure Active Directory B2C | Microsoft Docs
2. ios - Azure Active Directory Safari Redirection Issue - Stack Overflow
3. active-directory-b2c/openid-connect#send-a-sign-out-request

Answer 2

Finally got a solution that works.

Rather than using the sign-in and sign-out URLs in my question I'm now using login.microsoftonline.com (not b2clogin.com). Not sure I want to leave it this way though as MS are advising you switch from using login.microsoftonline.com to b2clogin.com

Login now targeting:

https://login.microsoftonline.com/{tenant}.onmicrosoft.com/oauth2/v2.0/authorize?client_id={clientId}&....

Logout now targeting:

https://login.microsoftonline.com/{tenant}.onmicrosoft.com/oauth2/v2.0/logout?p={policy}