Azure AD B2C logout issue

Question

Issue summary: msal.logout() appears to log the user out, but after "logging out" the user can click "login" and be logged in again without being required to enter their username and password.

This is a serious security issue for user's who login to our application on a public computer, then logout thinking that they have prevented someone from accessing their account.

Frontend is using Angular-msal 1.0.0 (Angular-oauth2-oidc has the same issue, so I think it's not the problem of js library). Azure AD B2C built in user flow and xml custom policy both have this logout issue when login with federated AAD tenant user.

Any help would be appreciated. Thanks.

Answer 1

The MSAL library provides a logout method that clears the cache in browser storage and sends a sign-out request to Azure Active Directory (Azure AD). Request will be done against the end_session_endpoint URL obtained from the B2C policy metadata. Keep in mind single sign out is supported only by custom policies and that it's scoped to the same browser, not device.

Just in case you are still facing any issue an idea would be to redirect using &prompt=loginin your auth url will revoke your login request with out user session.