We are building a Blazor WASM application using Azure AD B2C to perform authentication with user flows (no custom policies). Our company Active Directory act as our federated identity provider. In other words, users will log in using their domain account. This application is used on a tablet shared between multiple users and then they will have to log out/log in multiple times a day.
The problem we are facing now is that after the user logs out, the login prompt is never displayed again. The previous user is always authenticated by default which makes sense because we don't sign out the user for other applications. However, in our case, we need to have the user prompt every single time since multiples users are using the application.
One thing we can see is that session seems to be retained by the “login.microsoftonline.com” cookie which when manually deleted from the browser we now see the prompts for the user credentials.
My question is, is there a way to force the login prompt to be displayed every time? Or alternatively, be able to sign out for the application only?
We tried to put ‘Disabled’ in the ‘Single sign-on configuration’ setting from the user flow without any success. According to the documentation that looked what we needed but doesn’t seem to work.
We also disabled the ‘Enable keep me signed in session’ option and again, no success.
Here is my AddMsalAuthentication:
builder.Services.AddMsalAuthentication<RemoteAuthenticationState, CustomUserAccount>(options => {
builder.Configuration.Bind("AzureAdB2C", options.ProviderOptions.Authentication);
options.ProviderOptions.DefaultAccessTokenScopes.Add("openid");
options.ProviderOptions.DefaultAccessTokenScopes.Add("offline_access");
options.ProviderOptions.LoginMode = "redirect";
options.UserOptions.RoleClaim = "roles";
}).AddAccountClaimsPrincipalFactory<RemoteAuthenticationState, CustomUserAccount, CustomClaimsPrincipalFactory>();
Any ideas? Thanks
You can use
Microsoft.AspNetCore.Components.WebAssembly.Authentication
instead ofMicrosoft.Authentication.WebAssembly.Msal
to send additional query parametersprompt=login
which would redirect the user to IDP instead of using the cached token.The following steps would be required:
Install nuget package Microsoft.AspNetCore.Components.WebAssembly.Authentication
Replace the AuthenticationService.js script in
wwwroot > index.html
from the Msal one to the one below.Replace the AddMsalAuthentication piece of code in Program.cs with this one.
The whole reason for doing this is that Msal doesn't allow sending additional query parameters. This is still kind of a workaround since it still doesn't clear the “login.microsoftonline.com” cookie but it does achieve similar functionality.