Logout is not working in Microsoft Azure Web App

Question

I am using the following method to implement logout functionality for Azure Web App.

I am using the url https://login.microsoftonline.com/{0}/oauth2/logout?post_logout_redirect_uri={1} where {0} is the Azure AD url and {1} is the web app url.

Sample url: https://login.microsoftonline.com/myazuread.onmicrosoft.com/oauth2/logout?post_logout_redirect_uri=http://myazurewebapp.azurewebsites.net

This gives me the output stating

You signed out of your account

It's a good idea to close all browser windows."

But when I put the site url on the browser the user goes through without going through authentication. I have also added code for expiring the cookies, but it's not helping. After signout I want the user to be redirected to the login page and also the user should have to go through authentication for logging in.

Are you using the built-in authentication and authorization services provided by Azure App Service? Have a look at this issue and issue. — Bruce Chen
@Bruce .. Yes we are using the built-in authentication and authorization services provided by Azure App Service. We have tried these links . but no luck ! — Sam Ganguly
In this scenario, there will be 2 cookies set for the logged in user. One cookie for 'login.microsoftonline.com' and one for your site. It is not clear in your post which cookie is at fault for logging in the user again. Hitting the 'logout' url should wipe the cookie for the login endpoint, but you then need to make sure that you are also writing code to remove the cookie for your web app. — Shawn Tabrizi

Bruce Chen Bruce Chen · Accepted Answer · 2017-02-15T07:21:11

According to your description, I have created a new ASP.NET Web Application that doesn't require any user authentication, then I followed this tutorial for configuring my web app to use AAD login.

To restrict access to your site to only users authenticated by Azure Active Directory, set Action to take when request is not authenticated to Log in with Azure Active Directory.

When a user has logged in, you could find a cookie named AppServiceAuthSession as follows:

For a simple way to log out, you could just call https://{your-webapp-name}.azurewebsites.net/.auth/logout, this in-build endpoint would clear your browser cookies first, then redirect you to process the log out at Azure AD end as follows:

When the log out operation is finished at Azure AD side, the browser would redirect you to the post_logout_redirect_uri(/.auth/logout/complete by default) as follows:

In summary, please leverage fiddler to capture the requests when performing log out in your web app, and try to see whether the cookie AppServiceAuthSession has been removed after you logged out.

Logout is not working in Microsoft Azure Web App

3 Answers