3
votes

I am using the following method to implement logout functionality for Azure Web App.

I am using the url https://login.microsoftonline.com/{0}/oauth2/logout?post_logout_redirect_uri={1} where {0} is the Azure AD url and {1} is the web app url.

Sample url: https://login.microsoftonline.com/myazuread.onmicrosoft.com/oauth2/logout?post_logout_redirect_uri=http://myazurewebapp.azurewebsites.net

This gives me the output stating

You signed out of your account

It's a good idea to close all browser windows."

But when I put the site url on the browser the user goes through without going through authentication. I have also added code for expiring the cookies, but it's not helping. After signout I want the user to be redirected to the login page and also the user should have to go through authentication for logging in.

3
Are you using the built-in authentication and authorization services provided by Azure App Service? Have a look at this issue and issue.Bruce Chen
@Bruce .. Yes we are using the built-in authentication and authorization services provided by Azure App Service. We have tried these links . but no luck !Sam Ganguly
In this scenario, there will be 2 cookies set for the logged in user. One cookie for 'login.microsoftonline.com' and one for your site. It is not clear in your post which cookie is at fault for logging in the user again. Hitting the 'logout' url should wipe the cookie for the login endpoint, but you then need to make sure that you are also writing code to remove the cookie for your web app.Shawn Tabrizi

3 Answers

1
votes

According to your description, I have created a new ASP.NET Web Application that doesn't require any user authentication, then I followed this tutorial for configuring my web app to use AAD login.

To restrict access to your site to only users authenticated by Azure Active Directory, set Action to take when request is not authenticated to Log in with Azure Active Directory.

When a user has logged in, you could find a cookie named AppServiceAuthSession as follows:

enter image description here

For a simple way to log out, you could just call https://{your-webapp-name}.azurewebsites.net/.auth/logout, this in-build endpoint would clear your browser cookies first, then redirect you to process the log out at Azure AD end as follows:

enter image description here

When the log out operation is finished at Azure AD side, the browser would redirect you to the post_logout_redirect_uri(/.auth/logout/complete by default) as follows:

enter image description here

In summary, please leverage fiddler to capture the requests when performing log out in your web app, and try to see whether the cookie AppServiceAuthSession has been removed after you logged out.

0
votes

@Bruce . No i am not using any URL authentication rules . let me tell you whats happening step by step . 1)I have used the same url u have provieded as log out url . 2) Page is redirecting to the https://login.microsoftonline.com/myazuread.onmicrosoft.com/oauth2/logout?post_logout_redirect_uri=https://mywebapp.azurewebsites.net/.auth/login/aad/callback . Its not getting redirected to the default logout page.

Image of cookies on the page after redirecting to logout url 3)If i navigate to the default logout page (/.auth/logout/complete) and click on "Return to website" for a brief moment it redirects to the azure ad login page //login.microsoftonline.com/dcc17943-54b6-4bc7-b284-71d39f03aeb0/oauth2/authorize?response_type=id_token&redirect_uri=https%3A%2F%2Fmywebapp.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&client_id=1ab2f820-2ca0-4a78-bfea-c849b91d339d&scope=openid+profile+email&response_mode=form_post&state=redir%3D%252F%26b2cPolicy%3D&nonce=d74940629d5e434eb6454648d33f371d_20170215104002 . Seems like it gets authenticated there automatically . And then redirects to the home page . I have deleted cookies manually too . Still the same result .

0
votes

@Bruce I found something . If i manually delete all the cookies from chrome://settings/cookies and then redirect the page then it works . Can i do it programatically ? using javascript or C#