MSAL Browser logoutRedirect does not clear B2C session of the logged-in user when SessionExpiration set on the custom policy

相关文章推荐

含蓄的人字拖 · AWS ...· 9 月前 ·

腼腆的蚂蚁 · python 3.x - PyTorch ...· 1 年前 ·

帅呆的板凳 · selenium css和xpath选择器 ...· 1 年前 ·

I am using MSAL Browser v2.0 and using the following code to logout an authenticated user. When the custom policy has Session Expiration attributes set, I find that the following logout code does not clear the user's session from B2C - when I click login after logout within the session expiration time, I am directly logged in to my application without having to enter credentials. Is this the expected behaviour?

export function handleAzureLogout(redirect = true) {
const msalInstance = new msal.PublicClientApplication({
auth: {
clientId,
authority: ${baseAuthorityURL}/${policies['signIn']} ,
knownAuthorities,
redirectUri: baseURL,
postLogoutRedirectUri: baseURL

const logoutRequest = { onRedirectNavigate: () => redirect};
msalInstance.logoutRedirect(logoutRequest)
.catch(() => {

Session settings on SignIn/Signup custom policy.

<UserJourneyBehaviors>
<SingleSignOn Scope="Application" />
<SessionExpiryType>Absolute</SessionExpiryType>
<SessionExpiryInSeconds>900</SessionExpiryInSeconds>
<ScriptExecution>Allow</ScriptExecution>
</UserJourneyBehaviors>

Thanks.

Hello @Anupama Varma , are you always returning true from within onRedirectNavigate ? Otherwise, server sign-out will be skipped, and the session will remain active. If that's the case, please clear the cache from within the developer console ( localStorage.clear() or sessionStorage.clear() ) before clicking login and let us know how it goes.

Hello @Alfredo Revilla (MSFT) ,

Yes, redirect is true within onRedirectNavigate. When I remove the Session settings from the custom policy, msal.logoutRedirect works fine - I do not need to even do an explicit sessionStorage.clear(). However, when the session settings are added to the custom policy, msal.logoutRedirect does not work. During a subsequent login, return msalInstance.handleRedirectPromise() gets a token response and login page is skipped.

My understanding is that if there is a 15 minute session expiry set on B2C policy , then user does not need to login again even if the SIgn in button on the app is clicked. If the user chooses to logout before 15 minutes, then I thought msal.logoutRedirect will clear the local cookies and user needs to login again and a new absolute 15 minute session is established.

Also, I would like to know if msal.logoutRedirect is sufficient or do I need to additionally do the signout by calling b2c endpoint to signout. https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#sign-out
I assume msal.logoutredirect is doing the same behind the scenes. Could you pls confirm?

Thanks.