Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Developer Portal to set up Sign Out with OAUTH
See original GitHub issueInsight: We enabled developer portal user sign in with OAUTH. Azure active directory is our IDP & this is updated in identities in APIM. Developer portal is registered as client in AAD.
We are using Sign in with OAUTH function. The sign in works as expected with OAUTH.
`` Issue is with sign out process. There is no option to Sign out with OAUTH currently provisioned.
Hence we are using standard Signout function.
This is only enabling our users to sign out from their Developer portal session. This does not allow AAD session to be logged out. SO when user signs back in, it does not redirect them to go through login process, it just signs right back in. This is a security vulnerability & does not comply with our security requirements for 2FA.
We raised case with Microsoft. After reviewing our request, Microsoft Product Group recommended to request as open issue on GITHUB.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:1
- Comments:27 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
We are seeing a similar issue where we can sign in just fine but using the
/#signoutdoesn’t actually seem to make a request to the B2C app’s Front-channel logout URL in order to clear the session data.Signing out does bring us to https://login.microsoftonline.com/common/oauth2/v2.0/logoutsession which terminates the developer portal session but never seems to run the actual B2C logout flow / make a request to that front-channel logout URL.
I have updated this comment since originally posting to further emphasis that this is a Developer Portal bug:
We have in fact verified the B2C logout URI that we link to from our custom sign out button, does do the job of expiring the B2C (MSAL 2 library) tokens and logout from the B2C tenant. These MSAL tokens are not however cleared from the browser cache…but they are not the issue (expired). The issue is the Developer Portal SAS token is not cleared and not clearable manually in the browser either (it returns the next refresh after deletion). However /#signout does cleanout SAS.
This behavior makes a very strong case for a signout-oauth button to make this all more full proof for the Developer Portal administrative designer (see also https://github.com/Azure/api-management-developer-portal/issues/1301)
Is there any timeline yet?