I’m implementing Azure b2c with a .NET 4.8 MVC app. Our process uses Cookie Authentication and local user accounts with a custom flow policy, which works great.
The issue is that I am having trouble signing out of azure b2c. Currently I’m testing locally and a user click the “Sign Out” Button. The signout button clears the local data, and then redirects to the link via this document.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/openid-connect?ref=blog.bajonczak.com#send-a-sign-out-request
The link appears to work successfully, but when I click the “Back” button in my browser, the user is still authenticated through B2C.
Can anyone tell me if this is the correct way to sign out of B2C?
Sign in code through Startup
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
// ASP.NET web host compatible cookie manager
CookieManager = new SystemWebChunkingCookieManager(),
CookieName = "MyPortal.AuthCookie",
CookieSameSite = Microsoft.Owin.SameSiteMode.Lax,
CookieSecure = CookieSecureOption.Always,
CookieHttpOnly = true,
CookiePath = Globals.ApplicationRelativePath
});
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
// Generate the metadata address using the tenant and policy information
MetadataAddress = String.Format(Globals.WellKnownMetadata, Globals.TenantId, Globals.DefaultPolicy),
// These are standard OpenID Connect parameters, with values pulled from web.config
ClientId = Globals.ClientId,
RedirectUri = Globals.RedirectUri,
PostLogoutRedirectUri = Globals.PostLogoutRedirectUri,
UseTokenLifetime = true,
// Add the ProtocolValidator property here
// Specify the callbacks for each type of notifications
Notifications = new OpenIdConnectAuthenticationNotifications
{
RedirectToIdentityProvider = OnRedirectToIdentityProvider,
AuthenticationFailed = OnAuthenticationFailed,
SecurityTokenValidated = OnSecurityTokenValidated
},
// Specify the claim type that specifies the Name property.
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
RoleClaimType = "extension_Role",
ValidateIssuer = false
},
// Specify the scope by appending all of the scopes requested into one string (separated by a blank space)
Scope = $"openid profile offline_access {Globals.ReadTasksScope} {Globals.WriteTasksScope}",
// ASP.NET web host compatible cookie manager
CookieManager = new SystemWebCookieManager(),
}
);
}
Log off function – added OWIN sign out for extra checks but it does the same thing regardless
public ActionResult LogOff()
{
//Log out through OWIN
IEnumerable<AuthenticationDescription> authTypes = HttpContext.GetOwinContext().Authentication.GetAuthenticationTypes();
HttpContext.GetOwinContext().Authentication.SignOut(authTypes.Select(t => t.AuthenticationType).ToArray());
Request.GetOwinContext().Authentication.GetAuthenticationTypes();
HttpContext.User = new GenericPrincipal(new GenericIdentity(string.Empty), null);
//Expire cookie
if (Request.Cookies["MyPortal.AuthCookie"] != null)
{
HttpCookie authCookie = new HttpCookie("MyPortal.AuthCookie");
authCookie.Expires = DateTime.Now.AddDays(-1d);
Response.Cookies.Add(authCookie);
}
try
{
AccountManager accountManager = new AccountManager();
accountManager.LogOff();
var RequestUri = new System.Uri(Globals.AadLogoutUrl);
return Redirect(RequestUri.ToString());
}
catch
{
throw;
}
}
Finally – my RequestURI
https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{flow}/oauth2/v2.0/logout?post_logout_redirect_uri={redirectURI}