Azure AD B2C - Sign out a user from all sessions

P

4

15

I have 3 websites using a single B2C tenant. I have been asked to set it up so that when a user signs out of one website, sign out of them all.

Likewise if their account is deleted.

I thought that I would have to introduce a call to Azure on every request to determine if the user is still logged in, but as far as I can see, there isn't a Graph API endpoint that would allow me to determine the user status.

Am I thinking about this the wrong way? Is there a way to do this easily using B2C, Graph API, the Active Directory client etc.?

Maybe there is an option when setting up the OpenIdConnectAuthenticationOptions for example.

Platon answered 16/12, 2016 at 14:59 Comment(1)

Updated Sign Out Url can be found here – Mastiff 28/10, 2021 at 9:12

I

3

I might be late. But if that helps. A.c to docs

When you redirect the user to the Azure AD B2C sign-out endpoint (for both OAuth2 and SAML protocols), Azure AD B2C clears the user's session from the browser. However, the user might still be signed in to other applications that use Azure AD B2C for authentication. To enable those applications to sign the user out simultaneously, Azure AD B2C sends an HTTP GET request to the registered LogoutUrl of all the applications that the user is currently signed in to.

Applications must respond to this request by clearing any session that identifies the user and returning a 200 response. If you want to support single sign-out in your application, you must implement a LogoutUrl in your application's code.

This is called single sign out . Please refer to https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-overview#single-sign-out

Insula answered 7/7, 2020 at 10:35 Comment(3)

Although I'm no longer in a position to try it, this sounds like the answer to me. – Platon 8/7, 2020 at 14:7

Correct me if I'm wrong, but this will work for the same browser correct? If the user is logged in on different browsers or devices, how can single sign out be implemented across those as well? – Enamel 22/3, 2021 at 10:42

Do you have an idea where the social account selection data is stored? In my case I do a logout by clearing the cache, upon next login I am presented with a screen to enter my credentials and then when I click on the Sign in with Microsoft I am immediately redirected to the application (whereas on initial login with microsoft I had to make a choice with which Microsoft account do I want to login). How can I force this account selection? (several places mention prompt=account_select but I have no clue where to configure this, in the policy, in the application, or as a part of the URL) – Shwalb 28/6, 2022 at 15:1

M

14

According the description on Azure Document:

While directing the user to the end_session_endpoint will clear some of the user's single sign-on state with Azure AD B2C, it will not sign the user out of the user's social identity provider (IDP) session. If the user selects the same IDP during a subsequent sign-in, they will be reauthenticated, without entering their credentials. If a user wants to sign out of your B2C application, it does not necessarily mean they want to sign out of their Facebook account entirely. However, in the case of local accounts, the user's session will be ended properly.

So you can directly use the end_session_endpoint. You can find it in the metadata document for the b2c_1_sign_in policy endpoint, e.g.:

https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=b2c_1_sign_in

You can refer to Azure Active Directory B2C: Web sign-in with OpenID Connect for more info.

Any further concern, please feel free to let me know.

Malisamalison answered 19/12, 2016 at 5:40 Comment(2)

This is what I'm doing, but it still keeps me signed in to other applications until the session expires. I take it I'll need to do a manual check on every request to an API endpoint to determine if I'm still logged in, and if not destroy the session? – Platon 20/12, 2016 at 11:20

I am currently trying to do this. I am unable to sign users out from other signed in applications. – Scorch 17/6, 2019 at 16:45

I

3

I might be late. But if that helps. A.c to docs

When you redirect the user to the Azure AD B2C sign-out endpoint (for both OAuth2 and SAML protocols), Azure AD B2C clears the user's session from the browser. However, the user might still be signed in to other applications that use Azure AD B2C for authentication. To enable those applications to sign the user out simultaneously, Azure AD B2C sends an HTTP GET request to the registered LogoutUrl of all the applications that the user is currently signed in to.

Applications must respond to this request by clearing any session that identifies the user and returning a 200 response. If you want to support single sign-out in your application, you must implement a LogoutUrl in your application's code.

This is called single sign out . Please refer to https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-overview#single-sign-out

Insula answered 7/7, 2020 at 10:35 Comment(3)

Although I'm no longer in a position to try it, this sounds like the answer to me. – Platon 8/7, 2020 at 14:7

Correct me if I'm wrong, but this will work for the same browser correct? If the user is logged in on different browsers or devices, how can single sign out be implemented across those as well? – Enamel 22/3, 2021 at 10:42

Do you have an idea where the social account selection data is stored? In my case I do a logout by clearing the cache, upon next login I am presented with a screen to enter my credentials and then when I click on the Sign in with Microsoft I am immediately redirected to the application (whereas on initial login with microsoft I had to make a choice with which Microsoft account do I want to login). How can I force this account selection? (several places mention prompt=account_select but I have no clue where to configure this, in the policy, in the application, or as a part of the URL) – Shwalb 28/6, 2022 at 15:1

S

2

Microsoft has an API for this by now. I link to the following blog, as the documentation is currently wrong.

microsoft developer blog: revokeSignInSessions & invalidateAllRefreshTokens

Request 
POST https://graph.microsoft.com/beta/users/{id}/revokeSignInSessions 

Response  
HTTP/1.1 204 No Content

Note that as on 28 Dec 2023 the api/user-invalidateallrefreshtokens is available only in Beta

Synapsis answered 10/6, 2021 at 11:46 Comment(1)

This must be the answer! Just head to Graph Explorer, and you're good to go developer.microsoft.com/en-us/graph/graph-explorer – Amoakuh 31/3, 2022 at 14:43

E

1

Microsoft Graph API supports the revoking the current users sessions. This blog will give brief details about the API.

Try the api in Graph Explorer

Note: After calling revokeSignInSessions, there might be a small delay of a few minutes before tokens are revoked.

  POST /me/revokeSignInSessions
  POST /users/{id | userPrincipalName}/revokeSignInSessions

  // Auth headers 
  Authorization: Bearer {token}.

Response

HTTP/1.1 200 OK
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Edm.Boolean",
    "value": true
}

Encamp answered 12/5 at 18:47 Comment(0)

Recommended topics

Hot tags