TypeError: revocation_endpoint must be configured on the issuer [Azure AD B2C]

[zar3bski]

Context

I'm faced with the following error while implementing an openid strategy using Azure AD B2C as identity server. Here is its well-known

Set Up

{
  "issuer": "https://someCompany.b2clogin.com/3c46c857-9e8b-4121-9650-74dc6055108c/v2.0/",
  "authorization_endpoint": "https://someCompany.b2clogin.com/someCompany.onmicrosoft.com/oauth2/v2.0/authorize?p=b2c_1a_signin",
  "token_endpoint": "https://someCompany.b2clogin.com/someCompany.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1a_signin",
  "end_session_endpoint": "https://someCompany.b2clogin.com/someCompany.onmicrosoft.com/oauth2/v2.0/logout?p=b2c_1a_signin",
  "jwks_uri": "https://someCompany.b2clogin.com/someCompany.onmicrosoft.com/discovery/v2.0/keys?p=b2c_1a_signin",
}

I instantiated a oidc client using

const client: BaseClient = new issuer.Client({
    client_id: process.env.SSO_CLIENT_ID,
    client_secret: process.env.SSO_CLIENT_SECRET,
    redirect_uris: [`http://${hostName}/auth/callback`],
    response_types: ['token id_token'],
  })

The error

Callback and token revocation work like a charm. The problem occurs when I try to revoke a token at logout using client.revoke(token)

 /home/node/app/node_modules/openid-client/lib/helpers/assert.js:17
     throw new TypeError(`${endpoint} must be configured on the issuer`);
          ^

TypeError: revocation_endpoint must be configured on the issuer
    at assertIssuerConfiguration (/home/node/app/node_modules/openid-client/lib/helpers/assert.js:17:11)
    at Client.revoke (/home/node/app/node_modules/openid-client/lib/client.js:1384:5)
    at /home/node/app/lib/appi/libs/auth.js:79:16
     at Generator.next (<anonymous>)
     at fulfilled (/home/node/app/lib/appi/libs/auth.js:5:58)
     at processTicksAndRejections (node:internal/process/task_queues:96:5)

Questions

Does the problem come from the well-known not containing the proper metadata (or at least the ones expected by this lib) or does it come from the way I construct the client? I tried to add several parameters like revocation or end_session based on what I could understand from openid-client/lib/helpers/assert but without much effect

[panva]

See https://github.com/panva/node-openid-client/tree/v5.1.4/docs#clientrevoketoken-tokentypehint-extras

Revokes a token at the Authorization Server's revocation_endpoint.

It would appear your configuration and AAD? doesn't have one, hence you cannot perform token revocation.

[zar3bski]

What is an end_session_endpoint if not a revocation_endpoint (I fail to understand the difference)? Do I have a way to accommodate with Microsoft's slightly non-canonical way of calling thing?

[panva]

• revocation_endpoint RFC7009 - OAuth 2.0 Token Revocation
• end_session_endpoint OpenID Connect RP-Initiated Logout 1.0

[zar3bski]

OK, so, for OIDC, I should use .endSessionUrl()?

[panva]

You should probably consult AAD documentation. I am in no position to advise here.