How to properly make my SWA logout from a custom identity provider?

[brenoalvs]

I saw this similar issue and I think this is a bug.
#529

But I would like to understand better if this is something that will be fixed or do we really need to make the "reverse flow" to make it work. (Logout from IdP redirecting to app logout url).

Describe the bug
The app does not completely logs out when we visit the /logout url with a custom identity provider configured.

To Reproduce
Steps to reproduce the behavior:

1. Setup a custom identity provider
2. Login into the app
3. Then logout
4. The SWA app will be logged out but not the custom provider.
5. If you visit any url that requires authentication the app logs you in without requesting for credentials again.

Expected behavior
Logout from the SWA and from the custom identity provider.

[mkarmark]

Hi, we are taking a look at this issue and will post about a potential mitigation plan when we figure out the issue.

[mkarmark]

You should currently be experiencing a logout from the Azure Active Directory and Google built in providers even when configured as custom identity providers. We currently don't support provider logout for custom OpenId Connect Providers as it is an additional spec that is not part of core OpenId Connect but we see the value in this feature so will look to add this in a future release, and we will update this thread when we do.

[ananratt1]

I have the same issue. I can confirm that /logout doesn't really log the user out from AAD or Google.

Steps to repro:

1. Navigate to /.auth/login/aad and login using a Microsoft Account. Say NO to 'Stay signed in?' prompt.
2. Navigate to /.auth/me to see the basic information on the logged in account to prove that I'm in the logged in state.
3. Navigate to /.auth/logout to logout. Immediately, navigate to /.auth/me again to confirm that my static Web App regards me as 'logged out.' I'd see this:
   {"clientPrincipal": null}
4. Navigate to /.auth/login/aad again. Microsoft login page flashes by, and I am logged right back in with the previously logged out user.

Using .auth/login/google suffers from the same issues.

Things that sort of worked
Any of the two actions below alone seems to make the browser forget my logged-in state:

1. Close the whole browser and relaunch it. I'd get asked to pick the previous user (and then enter the password) or choose a new user.

2. After having logged in to SWA using AAD, open a new tab in the same browser, and navigate to hotmail.com. That tab will enjoy my logged-in state from the Static Web Apps tab. I'd see my mails right away. Then I log out from the hotmail.com tab, switch back to ***.azurestaticapps.net tab and see that I am still logged into my Static Web App. Good! Then if I log out from my Static Web App and try to log back in, it has forgotten my logged-in state this time. In other words, logging out from the hotmail.com tab is somehow more powerful.

[TellonUK]

Are there plans to make this work with AzureB2C when used as a custom provider?

A solution for AzureB2C (And most OIDC Providers) is to have .auth/logout redirect to the end session URL provided in the known good configuration, you can then pass a post_logout_redirect to get back to the .auth/login/AzureB2C page.

If you could provide a logout URL somewhere that .auth/logout should redirect to as part of the app configuration, or in the json configuration or even pick it up from the OpenID end session property from the known good configuration then it could be configured per static web app, allowing the same code to be used for multiple instances of the application utilizing different AzureB2C providers (multiple clients)

[bzbetty]

I think b2c supplies the logout URL in its config endpoint, so shouldn't need the URL as a setting, just whether it should log you out.

[fralik]

Any news on that? I am experience the same issue on a computer located in a public space. After I log in and then log out from the app, anyone could re-log on my behalf.

[TellonUK]

My custom identity provider (Azure B2C) has a logout URL. I was able to goto that logout URL (logging out of my Azure B2C tenant) then have that redirect to the Azure SWA url for logout, which would trigger a local logout of the SWA. This allowed me to execute some cleanup code, logout of the IDP and then the SWA. Which ultimately left the user back at the IDP login page and all tokens expired.

[MudassarAli]

Any progress here. We are experiencing the same issue.

[scafaria]

I have this issue too.

[bzbetty]

like @TellonUK we ended up redirecting the user to "https://$(tenantName).b2clogin.com/$(tenantName).onmicrosoft.com/b2c_1_login/oauth2/v2.0/logout?post_logout_redirect_uri=https%3A%2F%2F$(redirectUri)%2F.auth%2Flogout" which then redirects the user to the swa logout page. seems to work for us.

[scafaria]

Thanks for the reply @bzbetty. I'm using the built-in identity providers for Static Web Apps, e.g. "https://myurl.com/.auth/login/google". I'm not sure if that's why I don't have any luck, but when I try the URL you provided (using my tenantName and redirectUri) I receive "The resource you are looking for has been removed, had its name changed, or is temporarily unavailable."
This link makes me wonder further.

[bzbetty]

also the b2c_1_login section of the link is the name of your logout user flow

[scafaria]

Right. I'm using the built-in auth of a static web app. So all I have is (twitter example): "https://mysite.com/.auth/login/twitter" and "https://mysite.com/.auth/logout". (also should note that "mytenantName" differs from mysite.com")

[dzidzedev]

Hi,
Is there here any fix? I have tried with WSO2 custom identity provider. I have the same issue.

[GNANASEKHARKURA]

Hi there,

It's a long pending issue, any update on this?