I am using the following method to implement logout functionality for Azure Web App.
I am using the url https://login.microsoftonline.com/{0}/oauth2/logout?post_logout_redirect_uri={1} where {0} is the Azure AD url and {1} is the web app url.
Sample url: https://login.microsoftonline.com/myazuread.onmicrosoft.com/oauth2/logout?post_logout_redirect_uri=http://myazurewebapp.azurewebsites.net
This gives me the output stating
You signed out of your account
It's a good idea to close all browser windows."
But when I put the site url on the browser the user goes through without going through authentication. I have also added code for expiring the cookies, but it's not helping. After signout I want the user to be redirected to the login page and also the user should have to go through authentication for logging in.
According to your description, I have created a new ASP.NET Web Application that doesn't require any user authentication, then I followed this tutorial for configuring my web app to use AAD login.
To restrict access to your site to only users authenticated by Azure Active Directory, set Action to take when request is not authenticated to Log in with Azure Active Directory.
When a user has logged in, you could find a cookie named AppServiceAuthSession as follows:
For a simple way to log out, you could just call https://{your-webapp-name}.azurewebsites.net/.auth/logout, this in-build endpoint would clear your browser cookies first, then redirect you to process the log out at Azure AD end as follows:
When the log out operation is finished at Azure AD side, the browser would redirect you to the post_logout_redirect_uri(/.auth/logout/complete by default) as follows:
In summary, please leverage fiddler to capture the requests when performing log out in your web app, and try to see whether the cookie AppServiceAuthSession has been removed after you logged out.
#Bruce . No i am not using any URL authentication rules . let me tell you whats happening step by step .
1)I have used the same url u have provieded as log out url .
2) Page is redirecting to the https://login.microsoftonline.com/myazuread.onmicrosoft.com/oauth2/logout?post_logout_redirect_uri=https://mywebapp.azurewebsites.net/.auth/login/aad/callback . Its not getting redirected to the default logout page.
Image of cookies on the page after redirecting to logout url
3)If i navigate to the default logout page (/.auth/logout/complete) and click on "Return to website" for a brief moment it redirects to the azure ad login page //login.microsoftonline.com/dcc17943-54b6-4bc7-b284-71d39f03aeb0/oauth2/authorize?response_type=id_token&redirect_uri=https%3A%2F%2Fmywebapp.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&client_id=1ab2f820-2ca0-4a78-bfea-c849b91d339d&scope=openid+profile+email&response_mode=form_post&state=redir%3D%252F%26b2cPolicy%3D&nonce=d74940629d5e434eb6454648d33f371d_20170215104002 . Seems like it gets authenticated there automatically . And then redirects to the home page . I have deleted cookies manually too . Still the same result .
#Bruce I found something . If i manually delete all the cookies from chrome://settings/cookies and then redirect the page then it works . Can i do it programatically ? using javascript or C#
One reason that your post logout redirection is not working might be beacuse of this Azure AD behavior that caused issues in my case:
It doens't work for root accounts of the tenant, that is my personal
account, which created Azure subscription.
But it works for new accounts I created inside of my subscription.
Related
I have an ASP.NET core web app with React registered in Azure Active Directory, how can I let the user go back to the original url after login redirect?
For example when I share with another user a link like this:
https://myapp.azurewebsites.net/#/route/subroute/254
the user is redirected to the login page
https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/authorize?client_id=***&redirect_uri=https%3A%2F%2Fmyapp.azurewebsites.net%2F.auth%2Flogin%2Faad%2Fcallback&response_type=code&scope=user.read%20openid%20offline_access%20profile&response_mode=form_post
the login works fine but after authentication the user is redirected to the home page
https://myapp.azurewebsites.net/#/
but I want redirect user back to the previous page
https://myapp.azurewebsites.net/#/route/subroute/254
I used this link for the app configuration
https://learn.microsoft.com/it-it/azure/active-directory/develop/scenario-web-app-call-api-app-configuration?tabs=aspnetcore
For the app registration I try these redirect uri:
https://myapp.azurewebsites.net/signin-oidc
https://myapp.azurewebsites.net/.auth/login/aad/callback
Please can you help me?
Initially I have setup microservice application with oauth2 and keycloak.
I was able to do that successfully. I have added all things such as SECURITY_OAUTH2_CLIENT_ACCESS_TOKEN_URI, SECURITY_OAUTH2_CLIENT_USER_AUTHORIZATION_URI, SECURITY_OAUTH2_CLIENT_CLIENT_ID, SECURITY_OAUTH2_CLIENT_CLIENT_SECRET, SECURITY_OAUTH2_CLIENT_SCOPE, SECURITY_OAUTH2_RESOURCE_USER_INFO_URI. I have jhipster registry running and gateway application running. I have created a application in okta with the openidconnect type application. Screen shot is mentioned below. I able to see the http://localhost:8080. Upon clicking on sign in button I getting the below error.
If you look in your browser’s address bar on the 400 error page, you’ll see it has “http://localhost:8080/login” as the redirect URI. Add this value to the Login redirect URIs in your Okta app and you should be good to go.
Thanks, I solved the issue. The solution was, The user with which i was trying to login was not created in users table. For that I have created another user in okta and assigned the roles to it. Reset the password and tried logging to account. Upon invoking "http://localhost:8080" and clicking on "sign in" button it redirected to okta login page and logged in with the above created user and it redirected me to home page of my gateway.
Thank you
I had logined into Azure portal with my company account which sets up ADFS. Now, I want to use another account to login into Azure Portal. However, when I try to open portal.azure.com , it always redirect me to my company login page. I don't want to login agin and there is no section to switch account to my personal account.I can only use another accounts in my company. I hope I make sense about it.
Question: The login page is always redirected to my company login page. How do I get back the orginal login page without loginning and logout again.(I know that It may work with clearing the broswer cache but I don't want this, I need some cache)
Try to input this url in your broswer and Enter to go.
https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri=https%3A%2F%2Fgraphexplorer.azurewebsites.net%2F
Then you will find that you can logout the orginal accounts. When you try to go to https://portal.azure.com, you can just use any account as you want :
I test this method in both Chrome and Edge, it works.
For me personally, Firefox's Multi-Account Containers solves this issue very well.
I can be logged in simultaneously to however many accounts I want and they are all neatly isolated.
The reason you run into this problem by the way is that this is a feature of Azure AD.
It's called Single Sign-On.
You sign in once, you are authenticated to all apps which use O365 auth.
There are two different ways you can try.
Try to clear your browser cookie only on domain login.microsoftonline.com.
use https://portal.azure.com/example.com instead of https://portal.azure.com. example.com is your personal account domain.
I have an IIS website on a server internal to my domain that is also published via azure application proxy, which is secured using windows authentication. Our AD structure is hosted locally and published to Azure AD via AD connect.
Users visiting from outside the domain are authenticated first via the login.microsoftonline.com page.
My problem is that users external to the domain are on shared devices and need to change users occasionally, and I can't figure out how to do that.
I have read that navigating to an url like https://login.microsoftonline.com/{tenant id}/oauth2/logout?client_id={client id}&post_logout_redirect_uri={???} is supposed to achieve this, but after arriving at the login page and logging in as a different user, when we return to the site the user turns out not to be the user that authenticated, but remains the same user as before the attempt to change the user.
I have also read that deleting the cookies named like AzureAppProxyUserSessionCookie, AzureAppProxyAnalyticCookie and AzureAppProxyAccessCookie can help, but doing so does not seem to make any difference.
I thought that perhaps the browser was auto-authenticating or pre filling in forms etc, but turning those features off does not affect anything.
My questions are:
Are any log-off / log-on via Azure AD event logs kept that I can view, and if so, where?
How are you meant to log-off for my scenario?
I've set up my SharePoint 2013 on prem site to accept authentication from Google and Windows Live. Windows Live login works for the most part. I've set up an ACS in Azure where I've specified the return URL after the user signs in. I have entered the same return URL in the Google Developers console.
However, after the user logs in to their Google account, they get the following error:
Error: redirect_uri_mismatch
Application: Test
You can email the developer of this application at: myemailaddress#copmany.com
The redirect URI in the request: https://mysite.accesscontrol.windows.net:443/v2/openid did not match a registered redirect URI.
Can anyone tell me what I am doing wrong here, especially since the return URLs are the same in Google Developer Console > Credentials, as well as Azure ACS > Relying party applications.
Edit: The redirect URL is https://subdomain.mydomain.com/_trust in both Google Developers Console and Azure ACS.
Thanks!
You'll note the page is being served by Google (with it's little broken robot thingy). So the problem is at their end.
Though it's not actually a problem but rather a security measure in that you have to explicitly enable the redirect url. Otherwise some level of hijinks may ensue, at your expense.
So you need to log into your Google developer console and add the redirect url of your Azure ACS account (not your web app / relying party) to the permitted redirect URLs.
So the image above is obviously after I had already entered the redirect Url.
Click the edit button and add it on a separate line.
And you're done.
Otherwise judging by your edit, it looks as though you have simply used the wrong url. You use the ACS callback URL not your website URL as the flow goes back through ACS which reissues the token in it's own format.