The normal flow is that the user is redirected from the SP (Service Provider) to OneLogin to enter username/password. Upon success, the user is redirected back to the SP.
But this does not work when using browser flags:
In Chrome, SameSite by default cookies is enabled
In FireFox, network.cookie.sameSite.laxByDefault = true
In this case, the user is redirected to the OneLogin portal instead of the SP.
Is OneLogin ready for when this change is made by browsers?
Related
I have an application which has multiple frontend SPAs (mostly React). They allow the user to sign in if they want to access privileged features, but an unauthenticated user is still able to access the site. Each SPA will access some backend apis using a token if they are authenticated. All of these sites should function transparently when it comes to login, so if you login on one site, it should be automatically propagated to all the sites (SSO)
When a site first loads we want to get the token for the user if they are logged in with SSO. If we use the redirect flow and the user isn't signed in we will end up on the sign in page, which isn't what we want as we allow anonymous access. We only want to show the login page if the user explicitly clicks the login link on a site.
Is there a way to check if the user is logged into sso without redirecting to the login page?
We have looked at ssoSilent (from msal) which functionally does what we want however its only supported via third party cookies which don't work in some browsers.
I have thought perhaps we could redirect to a silent login page which if the user isn't logged in will just redirect back with an anonymous flag in the queryString, but I don't know if theres a way to do this with azure b2c.
The only method is ssoSilent(), or your own implementation of it via iframe. It should work as long as your app is on the same root domain as the AAD B2C login page, which you can do with the Custom Domain feature.
There is no API endpoint available to do what you want.
We are using msal-react library to login to Azure ADB2C. We support both externally federated users and "local" users, which are stored in our Azure ADB2C tenant. However, when my "local" B2C user signs out, even though I see tokens gone from the browser session storage, I am not asked for a password during next login and I am automatically logged in. When I close the browser it works, but not in the same browser session. Is this a bug in msal-react logout?
Any suggestions?
User is not prompted for a password after signing out from local B2C since the session cookie is still present. You can force re-authentication:
Adding the ?prompt=login to the /authorize request. Eg: https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize?prompt=login&...
Or
Configuring Azure AD B2C session behavior.
I am using MSALjs to logout a user on my application. When the msalService.logoutRedirect() is triggered, the page redirects and is logged out. However, my application does not have an "un-guarded" route, thus the redirect after logout (postLogoutRedirectUri) is set to return to the application's last active page. And when it returns to the application, the MSAL guard automatically finds a valid MS session and logs back in again automatically (after redirects).
If I change the postLogoutRedirectUri to https://login.microsoftonline.com/common/oauth2/logout, the logout does work and I am signed out correctly. However, I would like to immediately be prompted to sign back in, which is why I intend on returning to the application so the MsalGuard can prompt sign in.
Per a recent GitHub issue , one of the MSAL contributors said the following:
This is a nuance of how B2C works. By default B2C might not log you out of your federated identity provider when you call the logout endpoint, this is explained in more detail here. I unfortunately don't know enough about B2C configuration to give you a definitive answer but you may need to create a custom policy which redirects to the AAD logout endpoint you mentioned: 'https://login.microsoftonline.com/common/oauth2/logout' as this endpoint is the one that ultimately closes your session with AAD. You can also have B2C pass through your postLogoutRedirectUri to this endpoint so that AAD redirects you back to your application after the logout instead of ending on the "Close this window" screen, if desired.
How can I set this up so the logout is triggered correctly and all sessions are signed out?
Furthermore, if I manually change the metadata of the openid-config to have the "end_session_endpoint" equal to the microsoftonline logout link from above, the behavior seems to be more in line with what I would expect.
You could send the apps post logout redirect uri to the federated IdPs logout url. You can set the postLogoutRedirectURI in MSAL config object.
And at the federated IdP, set the logout url to the application.
Approach only works if you are using 1 federated IdP, and is the only IdP available.
function signOut() {
const logoutRequest = {
postLogoutRedirectUri: "https://login.microsoftonline.com/common/oauth2/v2.0/logout?
post_logout_redirect_uri=https://myapp.com"
msalConfig.auth.redirectUri
};
myMSALObj.logoutPopup(logoutRequest);
}
Otherwise, make an unguarded page in your app that redirects to the guarded page, but sets the MSAL prompt parameter to “login”. At least then the B2C login page will appear, and allow the user to select how they want to login. They may still get SSO if they select a federated IdP.
According to the documentation here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-profile-editing-policy?pivots=b2c-custom-policy. The profile edit flow will show the Sign-up or sign-in page, if there are no active session. If the session is active, then Azure AD B2C authorizes the user, and skips to the next step.
However, if I understand correctly, this 'session' would be in the form of a cookie right? If that's the case, what would happen with mobile apps?
Mobile app doesn't use cookies. After login in, they only have the id token, access token and refresher token. So if a user is logs in on an app, and then to do a profile edit flow, how would the app tell the browser that the user is already logged in?
If you are using the web view redirect flow, a cookie is set in the web view which then gives SSO for profile edit. You don’t need to configure anything in B2C to make it behave like this, it’s default.
I have created azure ad b2c custom sign-in policy with KMSI(keep me sign in) option, and using it in blazor server application,
But automatic sign in not working after browser close, Need to click 'Login' button.
After click login button no need to enter credential again, if at the time of previous sign-in KMSI check box checked.
But I want to sign-in automatically if at the time of sign in KMSI check box checked.
Could you check the authorization request the app sends to Azure AD B2C, whether it contains the prompt=login query string parameter? If yes, please make sure to remove this param.
This is expected, your app cookie is not persisted, so the app has no idea you’re still logged in at B2C. Therefore you have to click login in the app and then you get SSO through AAD B2C.
You could maintain a cookie set by the app to automatically send the user via the login endpoint if they had signed in previously with KMSI. You can use a claims resolver to send the KMSI claim into the token so your app can understand the user logged in with KMSI.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/claim-resolver-overview
I tested KMSI functionality on my side, and I can repro your symptom. My test is based on this demo: https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi
This is my test process below:
Registering a local account.
Login by this account, and enabled KMSI
I logged in successfully:
Close the browser, reopen it and got to my app index, my index page is allowed to be visited by anonymous, so it not knows who am I: I think this is the issue that you are concerned about:
But when I click “Claims” tag which users are needed to be authenticated, it redirected to my b2c domain :
As I enabled KMSI, so there is a cookie under my b2c domain:
As this cookie exists, B2C will provide me with the resource I requested for: b2c side sends a request to redirect URL with id token and code :
Finally, it redirected to “Claim” page and this app knows who am I :
In a word, there are two kinds of sessions here: a session between user and B2C and a session between the user and your application.
Once you close your browser, by default, you will lose the cookie that user on your application, so users access to some page with no auth needed of your app after reopening the browser, there will be no cookie, your application not know the user. But on the B2C side, this cookie will be persisted there due to KMSI. Only users request some functionality needs to be authenticated on your app, users will be redirected to the B2C domain and B2C will send users’ information to your app will make KMSI work.
In my opinion, maybe extending the lifetime of your application cookie will be a solution here. At the same time, you also need to expand session timeout to make sure that your application could recognize that long lifetime cookie. But as we know, it will be a high consumption for server RAM if it holds lots of sessions.