Sign out does not clear SSO token #425
Comments
|
Yep, that's the plan. We need a few more things sorted out on STS side, hence we did not push it out for preview. |
|
@kpanwar good to hear -- I didn't see it implemented in any of the MSAL libraries either, so I filed an issue on the iOS and Android ones too. |
|
Any updates? or a work around. In general when a user clicks "log out" they trust that it will indeed log them out. In the current state my user clicks log out and if they choose to login again - they click once and they're logged in without prompt. So much for logout... |
|
@wmwood this is something we still need to do. |
|
Sign-off currently clears tokens. We need to update the code to lauch the web-view to do a sign-off from device (by telling the IDP to sign-off, now that AAD implements it) |
|
@jmprieur Any timeframe on the web-view for sign-off and is there a temporary work around? If users enter the wrong creds they are unable to re-auth using the correct account. Also, I would expect UIBehavior.ForceLogin to prompt the user for credentials but this doesn't seem to have any effect. |
|
This is on our backlog |
|
@teelinmaloney : as far as a work around is concerned, did you notice that in the sign-in web view, there is a vertical … on identities. this triggers a contextual menu with 2 options:
|
|
Any updates on the possibility of signing out for iOS |
|
@ismael9291 : do you mean in the Xamarin iOS or native iOS library? if native iOS please post the question here: https://github.com/AzureAD/microsoft-authentication-library-for-objc |
|
We are still awaiting for the service to be able to support sign-out. Also this needs to be aligned with other libraries to ensure consistent behavior. |
|
Any progress on this? Or any workarounds? The use case for me is the desktop. I need to implement an inactivity timeout to sign out the logged in user and prompt him to log in again. Trouble is, the sign-on screen shows the last logged in user as already logged in. Despite removing the accounts as described in the API. |
|
Hi @shripathi-kamath - you have some control over the browser by using the var result = await pca.AcquireTokenInteractive(_scopes)
.WithPrompt(Prompt.ForceLogin)
.ExecuteAsync() |
|
Thank you kindly, Bogdan. I tried your suggestion and it appears to be adequate for my workflow. |
|
ForceLogin doesnt seem to work with social idps, is there a way around that? |
|
@ffwdq - ForceLogin sets a URL param of In fact, B2C recommends that you do not use Prompt and B2C wants to handle this on their own. I am not sure how to achieve your scenario with B2C, @jennyf19 - any ideas? |
|
Thanks for the answer, ended up using CefSharp in ICustomWebUi and running it in incognito mode |
|
@ffwdq - wow, cool! |
|
Any update on this? IMO, this should not be marked as an enhancement - it's a defect that can potentially lead to PII issues. |
|
In the UI, you can click the vertical three dots, and hit "forget the account", this is the way suggested by Azure AD. The user has to make this decision, not the SDK. |
|
This option not working for B2C login. Any alternat options? |
Looking at the code, I don't see Sign Out being properly implemented. There is a way to remove the user tokens from the local cache, but it does not appear to invoke the system web view to hit the
end_session_endpointendpoint value. That may leave the cookie between the system and the device valid such that a subsequent authenticate call may not prompt for credentials.Seems like the
end_session_endpointvalue should be read from the OIDC metadata and then invoked on a sign out?The text was updated successfully, but these errors were encountered: