1

I am trying to add a logout_hint parameter to the logout URL for a B2B identity provider in an Azure AD B2C custom policy.

I have verified that the login_hint parameter is being added correctly to the user's token claims, and have checked that the claims transformation is correctly referenced in the technical profile(s). I can see from the network traffic that a logout request is being sent when the user signs out. However, the logout_hint parameter is not being added to the identity provider logout URL when a user signs out.

Is there something else that I need to do in order to ensure that the logout_hint parameter is added to the identity provider logout URL? Any guidance or assistance would be greatly appreciated.

Thank you.

Update 1: Let me provide a bit more information. It's not a problem to get the login_hint from the token. And it's not a problem to add a logout_hint to the link when logout. But this parameter (logout_hint) will be added only to the logout b2c link. In b2c policy, I added functionality for single sign-out. And when the user logs out of b2c, a logout request from the federated identity provider (https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/logout) is sent in the background, but the user is not logged out of this federated identity provider. If the user simply opens the link https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/logout in the browser, the user will need to select an account for the logout. But if the user follows the link https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/logout?logout_hint={login_hint} - he will be logged out of the federated identity provider. Accordingly, I need to somehow make sure that the logout_hint parameter is added to the logout link from the federated identity provider when the user logs out from b2c and a logout request from the federated identity provider is sent in the background.

So, my goal is to log a user out of the federated IDP when the user logs out of the application.

Andrii Dovhal
  • 11
  • 2

2 Answers2

0

Thank your for posting your query. To add logout_hint you can extract the login_hint claim in your app and set it as the logoutHint in the logout request:

There are two ways to achieve a promptless logout:

const currentAccount = msalInstance.getAccountByHomeId(homeAccountId);

// Extract login hint to use as logout hint
const logoutHint = currentAccount.idTokenClaims.login_hint;
await msalInstance.logoutPopup({ logoutHint: logoutHint });

OR

const currentAccount = msalInstance.getAccountByHomeId(homeAccountId);
// The account's ID Token must contain the login_hint optional claim to avoid the account picker
await msalInstance.logoutRedirect({ account: currentAccount});

Note: Depending on the API you choose (redirect/popup), the app will still redirect or open a popup to terminate the server session. The difference is that the user will not see or have to interact with the server's account picker prompt.

Thanks

Mavric20
  • 96
  • 3
  • Thanks for the answer. I want the user to not have to interact and select an account to log out. I want the user to be automatically logged out of the b2b provider identity when he logs out of the application. To do this, logout_hint must be added to the logout link from the b2b identity provider. – Andrii Dovhal Mar 30 '23 at 10:25
  • @AndriiDovhal If you would use the syntax shared above there would be a POP/redirection happening but user won't have to interact with that as it would be a auto redirection and user would be logged out of the application. Also the logout would happen only from Application and not the federated IDP as Azure AD B2C doesn't control the federated identity provider session. Instead, session behavior is determined by the federated identity provider. As per https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#sign-out – Mavric20 Mar 30 '23 at 12:15
  • The sign-out clears the user's single sign-on state with Azure AD B2C, but it might not sign the user out of their social identity provider session. – Mavric20 Mar 30 '23 at 12:19
  • I've added more information to the main post. Look here please. – Andrii Dovhal Mar 30 '23 at 17:31
0

All docs have the same thing, "might no sign". I am stuck due the same issue. I'm able to extract the login_hint from a federated AAD in a b2c custom policy, then I put it in the msal logout request as a logout_hint property.It is sent to the b2c logout endpoint. But then the b2c logout endpoint returns javascript instructions to open an iframe to call the AAD logout endpoint 'https://login.microsoftonline.com/common/oauth2/v2.0/logout' without the logout_hint parameter.

Inspecting the javascript code returned by b2c, it calls a 'frameLoader' function, but it has a null in the fields parameter.

$.when(
frameLoader('https://login.microsoftonline.com/common/oauth2/v2.0/logout', 'GET', null) ).then(function () {

Support for AAD v2.0 logout_hint parameter according to some microsoft employees was in a test phase last year. Maybe it is supported now.

Also support in msal for the logout_hint parameter was recently released.

As for b2c logout_hint parameter support, there is not any documentation about the logout_hint parameter.

Its a real shame that logout_hint is supported by msal and aad, but not for b2c.

German Santana
  • 1
  • 1