We have implemented an asp.net solution that uses Azure AD B2C and OpenIdConnect. The user is able to log in using email and password stored in azure b2c. Everything is fine.
We have then added an external identity provider. This enables the user to choose between the email and password or the identity provider. Login works fine but logout is not propagated to the identity provider.
So now I have a scenario where a logout is registered correctly in azure b2c. But if I log back in and choose the identity provider, I will be authenticated by the identity provider without giving my credentials, because I am still logged in with the identity provider. (This is probably the preferred behaviour if the identity provider is google or facebook. But in this case it is a huge security risk)
I can see that my browser is redirected to an endsession url at the external identity provider. But it does not result in the user being logged out.
Is it possible to achieve a logout from the external identity provider?
What can be the issue?
Azure AD B2C does not support signing you out from the external identity provider, be it Facebook, Google or a custom OIDC/SAML/WS-Fed identity provider. It only signs you out from Azure AD B2C.
For more information on the B2C session please refer this document
There is an existing feature request user voice please upvote the request so that the product team can prioritize.