microsoft-authentication-library-for-dotnet: Sign out does not clear SSO token

Looking at the code, I don’t see Sign Out being properly implemented. There is a way to remove the user tokens from the local cache, but it does not appear to invoke the system web view to hit the end_session_endpoint endpoint value. That may leave the cookie between the system and the device valid such that a subsequent authenticate call may not prompt for credentials.

Seems like the end_session_endpoint value should be read from the OIDC metadata and then invoked on a sign out?

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Reactions: 18
  • Comments: 20 (7 by maintainers)

Most upvoted comments

Any update on this? IMO, this should not be marked as an enhancement - it’s a defect that can potentially lead to PII issues.

+7
frolific on Jun 25, 2020

Hi @shripathi-kamath - you have some control over the browser by using the .WithPrompt method. AFAIK Prompt.ForceLogin will always force the user to enter their password.

var result = await pca.AcquireTokenInteractive(_scopes)
                        .WithPrompt(Prompt.ForceLogin)
                        .ExecuteAsync()
+4
bgavrilMS on Aug 2, 2019

Thanks for the answer, ended up using CefSharp in ICustomWebUi and running it in incognito mode

+2
ffwdq on Aug 21, 2019

Yep, that’s the plan. We need a few more things sorted out on STS side, hence we did not push it out for preview.

+1
kpanwar on May 18, 2017
Read more comments on GitHub
← microsoft-authentication-library-for-dotnet: [Question] Using ROPC flow in Azure AD B2C AcquireTokenByUsernamePassword returning bad request
microsoft-authentication-library-for-dotnet: Silent authentication call results in unexpected network call →