I have an SSO app (Lets say apps A and B) using Azure AD B2C each with react SPAs using #azure/msal-react to manage the authentication. In the Azure console, I have both A and B configured with a sign out url (see below)
However when I logout from app A it doesn't automatically log out from app B as expected. Instead app B remains signed in for the current tab, but if I open app B in a second tab its logged out as expected. When I dug deeper I found that some state is left behind in session state for app B. This makes perfect sense as what I believe happens is that the signout link from app B is opened in an iframe in the background. An iframe is a new session so the session storage cant be cleared.
Is there a way of clearing the data or getting b2c not to use session storage so that logout will work across multiple sites? I realise I could probably solve this by closing the current tab on logout but it seems like a last resort to me.
Related
A customer changed to Azure AD, so we have to update our app accordingly. Unfortunately we don't have either access to the customers's Azure AD administration portal, nor do we have user credentials to test our app. We only know that ...
All starts here: https://myapplications.microsoft.com
Browser login consists of (1. dialog) email address, (2. dialog) password, (3. dialog) OTP token entry (OTP sent via SMS). Microsoft Authenticator works as well.
When through the authentication process, the page with the Azure applications appears. In our app, we'd like to avoid this page showing up, since the app should take over after the OTP token is entered in Microsoft Graph API (= authentication is completed). So authentication webview should close by itself after authentication is finished.
We read a lot about MSAL the last days, but since we have to code blindly (no sample login credentials/OTP available, no Azure AD administration access), it's kind of fishing in the dark.
We used this page as starting point: https://github.com/AzureAD/microsoft-authentication-library-for-objc
We use Xcode 13.4.1 with Swift.
By using Safari Web Inspector on the concerned Azure AD application, we populated the required MSAL constants as follows:
let kClientID = "2793995e-0a7d-40d7-bd35-6968ba142197" // probably not correct, see (a.) below
let kGraphEndpoint = "https://graph.microsoft.com/" // not found in Web Inspector data, but most MSAL code uses it
let kAuthority = "https://login.microsoftonline.com/common/" // found in Web Inspector data
let kRedirectUri = "https://myapplications.microsoft.com" // the URL after authentication is complete
let kScopes: [String] = ["User.Read"] // not found in Web Inspector data, but most MSAL code uses it
Questions/Problems:
https://myapplications.microsoft.com always shows the client_id 2793995e-0a7d-40d7-bd35-6968ba142197. As far as we understood, every Azure AD application has it's own client_id, hence 2793... cannot be correct since it's "generic". If the client_id is not correct, can we find the correct one using the concerned Azure AD application Safari Web Inspector data?
Above constants seem to work, but when our testers login, the last page showing all Azure AD applications remains open. Some sample MSAL test code from Github however close Microsoft Graph API after credentials were entered. Is this closure of the authentication webview triggered by the server (Azure AD setting) or the client?
After testers logged in through the app, then suspended the app (via App Switcher), then opened the app again - the complete Graph API login was required again. Silent login (aquireTokenSilently) didn't work. When using Safari, silent login works however. What could be wrong?
Does the Safari Web Inspector data tell us what the product bundle identifer is (which we need for msauth.$(PRODUCT_BUNDLE_IDENTIFIER) as redirect URI)?
So basically, we'd like to ...
avoid the Graph API portal page, which shows up after authentication is done
remain logged in after app returns from suspended (acquireTokenSilently())
use Authenticator if installed on the device
We've never worked with Azure AD before.
Any hint about mistakes/misunderstandings would help.
Many thanks!
----- UPDATE (27.07.2022) -----
As a reminder ... we neither have access to the Azure AD portal, nor do we have test credentials (username, password, SMS code [OTP]).
After lots of testing and simulating, still no success.
Using Safari, the flow for a regular user looks like this:
https://myapplications.microsoft.com
The authentication starts with the entry of the organization specific email address.
Azure detects this organization, checks the existence of the email address and asks fro the password.
Next, Azure either sends an SMS code or triggers the broker (Microsoft Authenticator). It's device configuration specific which one is used.
The page with the Azure AD applications opens.
On iOS/macOS (Xcode, our application), the above flow is similar. MSAL debug messages reveal however that no token is sent. acquireToken() only completes after the webview is cancelled (MSAL error -50005). It seems that a Web application doesn't require a token ?!
Now ... in our (iOS) app, we only would like to get the token in order to access the Web application with our (iOS) app (using the Bearer inside the URL request).
How can we get a token for an Web application without redirecting to that page at the same time (which doesn't return a token)?
Does Azure AD allow access to that Web application using the gained token?
A server side (Azure AD) solution would be an redirect_uri entry in the Authentication section (MY_BUNDLE_ID). But we have to do without.
You don't need to target the MyApps app (2793995e-0a7d-40d7-bd35-6968ba142197). You should target your own Azure AD App registration. For more information please take a look to MSAL iOS Swift Microsoft Graph API Sample.
I created a new Azure AD B2C.
I created a new application.
Accounts in any identity provider or organizational directory (for authenticating users with user flows)
provided a redirect URL of my app (I also tried by giving external URL, https://jwt.ms)
Generated secret key and cerificates.
I enabled Implicit grant and hybrid flows.
I created a new user flow for signup and signin, run this flow from azure portal and it successfully runs and show token on https://jwt.ms.
I Cloned the sample app (WebApp-OpenIDConnect-DotNet), run it with default values which came in the sample app and everything works fine.
I Added my client id, instance, domain etc. settings to appsettings.json file.
When I run it, and click on login button, it generates the URL but it never takes me to the login page, instead it takes me to redirect url without any code or querystring in the URL.
I am expecting the azure AD B2C signin page to appear, and only after login , it will take me to the redirect URL.
Can you please guide me what I am missing here or let me know if more information is needed here ? I will try my best to provide as much information as possible.
As stated by Jas Suri, it was due to URI mistmatch. I checked in Chrome dev tool and found the issue.
Thanks for excellent community on stack overflow.
I am working on a project that uses Azure API Management (APIM) and requires Azure B2C to authenticate into the APIM portal and to make API calls within APIM. User accounts are considered "local" accounts in Azure AD (no social accounts). As a developer, I have several Azure B2C user accounts setup so I can test different scenarios.
The problem I am having is that I haven't found a way to switch user accounts effectively w/o Azure B2C 'remembering' my previously logged in account. Using MS Edge or Google Chrome, clearing cookies in the browser seems to have no impact on removing any previously cached login information. B2C somehow still seems to 'remember' the user account I had previously logged in with.
To make things worse, I had deleted a user account that I had previously logged in with and after doing that, I couldn't login to Azure B2C at all and got an error in APIM stating that it couldn't find the account.
I've attempted to force a logout by calling a logout endpoint like this:
https://my_domain.b2clogin.com/my_domain.onmicrosoft.com/oauth2/v2.0/logout?p=b2c_1A_signup_signin
That seems to have some impact, but not always... and it didn't resolve the issue of the deleted account.
So in a nutshell, is there a way to switch user accounts using Azure B2C?
As a very verbose way of doing it, you can try adding the parameter &prompt=select_account parameter to your login url.
Something like this:
https://my_domain.b2clogin.com/my_domain.onmicrosoft.com/oauth2/v2.0/authorize?p=b2c_1A_signup_signin&clientId=..[many more]...&prompt=select_account
Check your browser's navigation history if you have troubly finding out your login URL.
Did you try incognito mode in Chrome? During auth process multiple endpoints are invoked, you could trace your auth with fiddler and notice endpoint that return set-cookie headers clearing cookies for these endpoints should result in "sign-out".
We have a web application implemented in Java/JSP and Azure AD single-sign-on authentication has been implemented using OpenID connect protocal. And the sign-in approach is working as expected, but the major issue is with sing-out. While signing out the user we are following the below approach.
1) User clicks sign-out button.
2) He will be redirected to application application sign-out page.
3) Clear the application session in sign-out page.
4) Then redirecting the user to Azure AD logout page, see below URL...
https://login.microsoftonline.com/common/oauth2/v2.0/logout?
post_logout_redirect_uri=our_application_sign_out_success_page
The above approach is working as expected, but the problem is, if user copy and paste above URL in the browser tab when the user have a valid session in another browser tab, his AD session is getting cleared.
But the expected behavior is, the logout should happen only when user clicks the sign_out button.
This is expected behavior, the server is not able to detect whether the request is sent from clicking or paste in the address bar and navigate manually. And the server should'n care where is the request from, it only do the job you told it.
And if you have other applications also using the Azure AD as the identity data provider, the sign-out request will not affect the other applications when you sign-out from your web application. Also if you want to implement the single sign-out, you have to implement LogoutUrl in the web application and register it on the Azure portal.(refer here)
I'm currently working on a web application that authenticates users through Azure AD via OpenID Connect. When an unauthenticated user hits the application, they are redirected to the Microsoft login page where they can input their AD credentials and login to the site. This is all good and working as expected.
The issue is that Azure AD Access Tokens only last for an hour, so if a user sits on a page for over an hour and then decides to continue working on that page (like say, make ajax calls within the page), nothing happens on the users' end (the page basically becomes unresponsive to server calls). If the user manually refreshes their page then their access is refreshed and they can continue using the application as normal, but this is obviously a problem when users have to refresh their pages every hour.
I've been looking online for solutions but I can't find anything concrete; most questions dealing with the issue address Web API calls, but I haven't found any solid information on how to deal with the issue when authenticating through the back-end (i.e authenticating with Azure AD through OpenID) while attempting to make front-end (i.e ajax) calls when the AD Access Token has expired.