We have a custom policy to allow users to delete their accounts, following something similar to https://github.com/azure-ad-b2c/samples/blob/master/policies/delete-my-account/policy/DeleteMyAccount.xml
If we then invoke another custom policy the B2C session is still active. The technical profile below still pulls out the old (deleted) objectId.
<TechnicalProfile Id="SM-AAD">
<DisplayName>Session Mananagement Provider</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.DefaultSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<PersistedClaims>
<PersistedClaim ClaimTypeReferenceId="objectId" />
</PersistedClaims>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="objectIdFromSession" DefaultValue="true" />
</OutputClaims>
</TechnicalProfile>
I see references to invalidateAllRefreshTokens invalidating the browser session, but then see many discussion saying this is not the case.
If there still not a way to invalidate the session, or call logout from a custom policy.
Thanks Nigel.
