How to signout from an Azure Application?

Asked 8/9, 2016 at 8:56 Answered 8/9, 2016 at 10:17

azure authentication azure-web-app-service

I have created a Azure AD application and a Web App. The Azure AD Application uses AAD Authentication. This works well. When I go to my URL and I am not authenticated, I have to enter my credentials. When I enter my credentials, I am forwarded to my application.

But then comes the problem. How do I sign out. I have found this question and I wanted to implement option 2: not signing out using code, but using links Azure AD provides. The point is, I have no clue where to configure this. He states

Add some specific links for logging in and logging out

But where? Where in Azure and in which portal (new or old) can I configure this? He also provided a link with a sample, but I don't understand this sample (I kind of new to Azure).

Padua answered 8/9, 2016 at 8:56 Comment(0)

What you can do is construct a sign out URI in your application and when the user clicks on the Logout link or button, you redirect your users to that URI.

The format of a sign out URI is:

https://login.microsoftonline.com/{0}/oauth2/logout?post_logout_redirect_uri={1}

Where {0} is the Tenant Id or the Azure AD name (something.onmicrosoft.com) and {1} is the link to your application where a user will be redirected back after the sign out process is complete at Azure AD end.

Winniewinnifred answered 8/9, 2016 at 9:16 Comment(1)

I found that when I .auth/logout, it logs me out everywhere so that .auth/me?provider=aad no longer works. – Moonlighting 5/1, 2018 at 16:55

I finally found why I couldn't get the provided example to work which I mentioned in my start post: the setting WEBSITE_AUTH_LOGOUT_PATH is deprecated and you can now call /.auth/logout to log out.

Found it on this page

Padua answered 8/9, 2016 at 10:17 Comment(5)

I guess you may still have to delete the browser cookies. For me it redirects to my home page but successfully logs user in. – Pyrrhonism 8/9, 2016 at 10:30

Redirecting to /.auth/logout will also automatically delete the session cookies. Note that If you want to redirect to a custom page after the logout completes, you can use something like /.auth/logout?post_logout_redirect_uri=/mylogoutpage.html (replace /mylogoutpage.html to any path you want). – Express 8/9, 2016 at 17:35

@ChrisGillum Thank you for the custom 'after logout page'. Didn't know about that. But where did you found this info? Where is this documented? – Padua 9/9, 2016 at 6:29

Full disclosure - I am the developer of this feature so I know it from memory. :D I'll chat with our doc writers to figure out if we have this properly documented somewhere. There's a good chance we missed it. – Express 9/9, 2016 at 21:42

Chris, is there a way to logout from aad without logging out everywhere. I find that if I .auth/logout on one client, it will cause the server to no longer be able to access .auth/me?provider=aad even though the token is good. As soon as another client logins in, then it works again. – Moonlighting 5/1, 2018 at 16:57

You could use the URI

https://login.microsoftonline.com/{0}/oauth2/logout?post_logout_redirect_uri={1}

as @Gaurav suggested. But this does not clear the browser cookies. You may have to explicitly delete the cookies from your Request Object:

foreach (string cookie in HttpContext.Current.Request.Cookies.AllKeys) { HttpContext.Current.Response.Cookies[cookie].Expires=DateTime.Now.AddDays(-1);}

But, there's also one issue with this that Azure AD caches the cookies for some time interval so any request sent using the same cookie from any other source could be authenticated successfully by Azure AD. I'm still trying to figure out how to tackle this.

Hope this helps. Thanks

Pyrrhonism answered 8/9, 2016 at 9:38 Comment(0)

Recommended topics

Hot tags