Force user sign out in Azure AD B2C with federated identity provider

Question

We are building a Blazor WASM application using Azure AD B2C to perform authentication with user flows (no custom policies). Our company Active Directory act as our federated identity provider. In other words, users will log in using their domain account. This application is used on a tablet shared between multiple users and then they will have to log out/log in multiple times a day.

The problem we are facing now is that after the user logs out, the login prompt is never displayed again. The previous user is always authenticated by default which makes sense because we don't sign out the user for other applications. However, in our case, we need to have the user prompt every single time since multiples users are using the application.

One thing we can see is that session seems to be retained by the “login.microsoftonline.com” cookie which when manually deleted from the browser we now see the prompts for the user credentials.

My question is, is there a way to force the login prompt to be displayed every time? Or alternatively, be able to sign out for the application only?

We tried to put ‘Disabled’ in the ‘Single sign-on configuration’ setting from the user flow without any success. According to the documentation that looked what we needed but doesn’t seem to work.

We also disabled the ‘Enable keep me signed in session’ option and again, no success.

Here is my AddMsalAuthentication:

 builder.Services.AddMsalAuthentication<RemoteAuthenticationState, CustomUserAccount>(options => {
        builder.Configuration.Bind("AzureAdB2C", options.ProviderOptions.Authentication);
        options.ProviderOptions.DefaultAccessTokenScopes.Add("openid");
        options.ProviderOptions.DefaultAccessTokenScopes.Add("offline_access");
        options.ProviderOptions.LoginMode = "redirect";
        options.UserOptions.RoleClaim = "roles"; 
    }).AddAccountClaimsPrincipalFactory<RemoteAuthenticationState, CustomUserAccount, CustomClaimsPrincipalFactory>();

Any ideas? Thanks

Answer 1

You can use Microsoft.AspNetCore.Components.WebAssembly.Authentication instead of Microsoft.Authentication.WebAssembly.Msal to send additional query parameters prompt=login which would redirect the user to IDP instead of using the cached token.

The following steps would be required:

Install nuget package Microsoft.AspNetCore.Components.WebAssembly.Authentication

Replace the AuthenticationService.js script in wwwroot > index.html from the Msal one to the one below.

<script src="_content/Microsoft.AspNetCore.Components.WebAssembly.Authentication/AuthenticationService.js"></script>

Replace the AddMsalAuthentication piece of code in Program.cs with this one.

builder.Services.AddOidcAuthentication<RemoteAuthenticationState, RemoteUserAccount>(options => {
            builder.Configuration.Bind("app", options.ProviderOptions);
            
            // Prompt for credentials when redirect to login endpoint
            options.ProviderOptions.AdditionalProviderParameters.Add("prompt", "login");

            // Based on your IDP
            options.ProviderOptions.DefaultScopes.Clear();
            options.ProviderOptions.DefaultScopes.Add("openid");
            options.UserOptions.RoleClaim = "roles";
            options.ProviderOptions.ResponseType = "id_token";
        });

The whole reason for doing this is that Msal doesn't allow sending additional query parameters. This is still kind of a workaround since it still doesn't clear the “login.microsoftonline.com” cookie but it does achieve similar functionality.

Answer 2

Currently, this can only be achieved using Custom Policies. You will need to send the Idp a prompt=login query param using Input Claims.

Please let us know if you need additional assistance.