We are using react-aad-msal to authenticate users with Azure AD via AD B2C. B2C is configured with custom policies, but nothing specific to logout. We are passing authority, domain_hint and login_hint in authenticationparameters which change dynamically based on what user enters in the application email prompt before they are redirected to B2C login. The initial login works fine, however after calling authProvider.logout() if different use tries to login and his external idp doesn't change, but login_hint does it still somehow holds on to the token of the previous user. I see it going to post logout redirect uri. Local storage is empty, authenticationState is Unauthenticated, but then out of the blue the token of the previous user appears in local storage. Setting prompt to 'login' doesn't help. Anyone had similar issues? Where is it getting the token from? Strangely enough it works correctly in FireFox, but not in Chrome. Also, after changing the user it sometimes randomly goes into endless loop with a message that login is already in process in the browser console.
Asked
Active
Viewed 753 times
1
-
Could you share the code what you tried? – unknown Dec 14 '20 at 06:24
-
Can you please tell us which IDP are you using and share us the library details – Raghavendra beldona Dec 16 '20 at 10:37
-
Hi. We are using Azure AD as IDP. I was able to reproduce the issue outside of React library, just with plain MSAL.js sample downloaded from here https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp. The issue is described here in more detail: https://learn.microsoft.com/en-us/answers/questions/195389/support-for-multiple-users-logging-to-azure-ad-b2c.html. MSAL.js login request looks like this: const loginRequest = { scopes: ["openid profile"], loginHint: 'marina.gurevich@heliosb2c.com', extraQueryParameters: { domain_hint: 'heliosb2c_com' } }; – Marina Gurevich Dec 16 '20 at 19:20
-
Second user gets the same domain_hint, but different login_hint. But it's ignored and 2nd user can login with the 1st user token. Adding prompt: 'login' did not change anything. – Marina Gurevich Dec 16 '20 at 19:27
-
See https://stackoverflow.com/questions/65113300/azure-ad-b2c-reuses-previous-users-token-after-logout-when-user-changes as a workaround. – Marina Gurevich Jan 06 '21 at 21:09