We have configured azure ad b2c single logout functionality and added a logout url to an application. When we sign into this application, and sign in to a second application, then logout from the second application, Azure AD B2C succesfully sends a GET request to the logout url we have configured which is great.
Our issue is how to associate the logout request received to the users session. The logout request contains the following:
curl -X 'GET' '<logout url>' -H 'connection: close' -H 'cookie: XSRF-TOKEN=<token value>; laravel_session=fpgtPB1hoJzMa15SAIE7kboQ10EEcwh1NObe6puV; _ga=GA1.2.1910264866.1606692692; _gid=GA1.2.1622950309.1606692692; io=qO1MfnLd5iFi9MZIhDwU' -H 'accept-language: en-US,en;q=0.9' -H 'accept-encoding: gzip, deflate, br' -H 'referer: <our domain>' -H 'sec-fetch-dest: document' -H 'sec-fetch-user: ?1' -H 'sec-fetch-mode: navigate' -H 'sec-fetch-site: same-origin' -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H ' -H 'upgrade-insecure-requests: 1' -H 'host: <Your host>' -H 'content-length: ' -H 'content-type:
How do we identify the user session within the application to complete the logout?
There is no association to the logout request received to the user session. User session ID related information is not available in the logout request received. For more details on session behavior in Azure AD B2C you can refer the following links.
Configure session behavior in Azure AD B2C
Configuring session behavior using custom policies in Azure AD B2C