Azure B2C not signing out from external Identity provider

3
votes

I have made an Azure AD B2C policy using external identity providers. I want, that when signing out of the app, the user should also be signed out from the external identity provider he used while signup. I read this on Azure documentation here.

As, written here, While directing the user to the end_session_endpoint will clear some of the user's single sign-on state with Azure AD B2C, it will not sign the user out of the user's social identity provider (IDP) session. If the user selects the same IDP during a subsequent sign-in, they will be reauthenticated, without entering their credentials. If a user wants to sign out of your B2C application, it does not necessarily mean they want to sign out of their Facebook account entirely. However, in the case of local accounts, the user's session will be ended properly

Is there any other way of dealing with this issue, or to do a force logout from Azure as well as from external identity providers ?

2
azureazure-ad-b2c

2 Answers

7
votes

Nope. And this how it should work.

You have a wrong way of thinking. When I sign out of your app I would be veeeeery mad at you if you sign me out of Google too (for example).

2
votes

This can't be done with Azure B2C. Although some people would argue that this is how it's meant to be and that keeping Social IDP's session alive is the expected behavior, I would argue that there are perfectly valid scenarios when this is not the case.

For example, for business apps that run on shared company devices. In our case, workers grab an iPhone from a locker and sign in to the app to do their job for the day. We allow them to sign in using their Social IDP credentials. At the end of their shift when they sign out and next person signs in using the same Social IDP, they will automatically get signed in as the previous user. You can see the problem, right?

I think, it would still be nice to have some way to end the Social IDP's session as well.