0

I have a SignUp Invite Flow via email implemented using Azure Active Directory B2C Custom policy. It works as expected. But, I have a scenario to be handled.

If a user - UserA is signed into the application and has a valid session. The same user received a sign up link via email. Opens the email in the same browser on a different tab. Clicks on the SignUp invite link. Gets redirected to the SignUp page. Provides information as UserB. Successfully signs up. Gets redirected to the client app's redirect URI. Now since there exists a valid session for UserA already, the sign up link ends up authenticated into the application as UserB. Also, the user is not expected to click on the Logout button and multiple users are expected to share the same machine and hence the ask.

Although this sounds like a scenario less practical, it is a valid one for the client. I was looking for ways to achieve this.

What I am looking for are:

  1. A way to clear the session information once the user clicks on the SignUp button. Since it's a custom policy, the UI elements are not completely or partially under the client app's code's reach (IMO). Please correct me if I am wrong and if it's possible to take control over the click event and execute a piece of javascript code to clear the browser session for the user.
  2. A way to handle redirect for the SignUp flow separately such that the landing page only has code to execute 2 functions. ClearUserSession(); RedirectToLogin();
  3. Or any other way to handle this?

Basically a way to simulate a Sigout/Logout following a registration/signup.

I really appreciate any leads on this and will prove extremely helpful.

Abhay Nagaraj
  • 93
  • 9
  • 1
    If not added till now, you can try with adding "prompt=login" at the end of sign up uri. It will clear any active session. – mohit agrawal Nov 26 '21 at 08:53
  • Thank you @mohitagrawal This really worked like a charm. Although it didn't invalidate the existing session in the other browser tab. But at least to my concern it didn't log the new signed up user into the existing session. UserA signed into browser window1 tab1. UserB clicks on the sign up link on window1 tab 2. Signs up siccessfully. Now with the above query string &prompt=login appended to the SignUp URL, the user gets redirected to a SignIn page on window1 tab2 (which is great). But then to check if the UserA's session was invalidated, I tried refreshing the app on window1 tab1. – Abhay Nagaraj Dec 02 '21 at 08:33
  • Continued... The app successfully obtains an access token for UserA and loads the app with the same session. Does this mea that, UserA's session is not invalidated? Or is that the token has been renewed silently in the background on refresh using the refresh token? If so, can we avoid that? Because, I tried @RahulKumarShaw-MT's solution of selecting the SignOut url as the reply url for the SignUp cusomt policy, but it didn't to work as expected. Any thoughts would be helpful. – Abhay Nagaraj Dec 02 '21 at 08:37

1 Answers1

0

Seems It can not be possible as we can not take control over the click event on Signup using Azure B2C Custom Policy.

Here is the behaviour of session for Azure AD B2C.

When a user tries to access a protected resource on the app, the app checks whether there is an active session on the application side. If there is no app session or the session has expired, the app will take the user to the Azure AD B2C sign-in page.

The application session can be a cookie-based session stored under the application domain name, such as [https://contoso.com](https://contoso.com).

Even though when you want to sign the user out of the application, it isn't enough to clear the application's cookies or otherwise end the session with the user. You must redirect the user to Azure AD B2C to sign out. Otherwise, the user might be able to re-authenticate to your applications without entering their credentials again.

The sign-out clears the user's single sign-on state with Azure AD B2C, but it might not sign the user out of their social identity provider session. For the local account session end properly after sign-out.

Reference: https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-user-flow

RahulKumarShaw
  • 4,192
  • 2
  • 5
  • 11
  • Did you suggest selecting the SignOut URI as the Reply URL in the Custom Poilcy on the portal? @RahulKumarShaw-MT – Abhay Nagaraj Nov 23 '21 at 15:09
  • @AbhayNagaraj no I am suggesting to use signout URI as reply URL. Please read my first line in my answer it will not possible to clear the Browser session on clicking on Sign-up link because we can not control on signup event of Azure Ad B2C Custom policy. – RahulKumarShaw Nov 23 '21 at 15:28
  • I see what you were referring to. And I have done the following: - Copy the SignOut URI from the app registration of the SPA. - Add that as one of the redirect URIs for the app registration. - Now select the signout uri from the drop down as select it as the reply URL for the custom policy for sign up invitation link. And, I see no difference. The SignUp policy link after being submitted/hit signup button redirects to the client app's landing page regardless. Am I doing something wrong? – Abhay Nagaraj Nov 24 '21 at 13:57