Azure AD B2C - Sign out a user from all sessions

22.2k views Asked by At

I have 3 websites using a single B2C tenant. I have been asked to set it up so that when a user signs out of one website, sign out of them all.

Likewise if their account is deleted.

I thought that I would have to introduce a call to Azure on every request to determine if the user is still logged in, but as far as I can see, there isn't a Graph API endpoint that would allow me to determine the user status.

Am I thinking about this the wrong way? Is there a way to do this easily using B2C, Graph API, the Active Directory client etc.?

Maybe there is an option when setting up the OpenIdConnectAuthenticationOptions for example.

3

There are 3 answers

3
Adeel Shekhani On BEST ANSWER

I might be late. But if that helps. A.c to docs

When you redirect the user to the Azure AD B2C sign-out endpoint (for both OAuth2 and SAML protocols), Azure AD B2C clears the user's session from the browser. However, the user might still be signed in to other applications that use Azure AD B2C for authentication. To enable those applications to sign the user out simultaneously, Azure AD B2C sends an HTTP GET request to the registered LogoutUrl of all the applications that the user is currently signed in to.

Applications must respond to this request by clearing any session that identifies the user and returning a 200 response. If you want to support single sign-out in your application, you must implement a LogoutUrl in your application's code.

This is called single sign out . Please refer to https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-overview#single-sign-out

2
Gary Liu On

According the description on Azure Document:

While directing the user to the end_session_endpoint will clear some of the user's single sign-on state with Azure AD B2C, it will not sign the user out of the user's social identity provider (IDP) session. If the user selects the same IDP during a subsequent sign-in, they will be reauthenticated, without entering their credentials. If a user wants to sign out of your B2C application, it does not necessarily mean they want to sign out of their Facebook account entirely. However, in the case of local accounts, the user's session will be ended properly.

So you can directly use the end_session_endpoint. You can find it in the metadata document for the b2c_1_sign_in policy endpoint, e.g.:

https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=b2c_1_sign_in

You can refer to Azure Active Directory B2C: Web sign-in with OpenID Connect for more info.

Any further concern, please feel free to let me know.

1
Tobi On

Microsoft has an API for this by now. I link to the following blog, as the documentation is currently wrong.

microsoft developer blog: revokeSignInSessions & invalidateAllRefreshTokens

Request 
POST https://graph.microsoft.com/beta/users/{id}/revokeSignInSessions 

Response  
HTTP/1.1 204 No Content 

Note that as on 28 Dec 2023 the api/user-invalidateallrefreshtokens is available only in Beta