Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

No logout redirect after closing and reopening browser

See original GitHub issue

Library

msal@1.4.8 or @azure/msal@1.x.x
@azure/msal-browser@2.x.x
@azure/msal-node@1.x.x
@azure/msal-react@1.x.x
@azure/msal-angular@0.x.x
@azure/msal-angular@1.x.x
@azure/msal-angular@2.0.0-beta.0
@azure/msal-angularjs@1.x.x

Framework

Angular 11
React
Other

Description

We noticed that after a user logs in, closes and reopens their browser and then tries to logout, the user doesn’t get redirected to the filled out postLogoutRedirectUrl but gets stuck with the message:

You have been logged out of your account It is best to close all browser windows.

We’re logging in the user and acquiring an access token for our own API to access it through single sign-on.

This behavior happens in all browsers in both plain JavaScript with MSAL version 1.4.8 as well as in an Angular application using msal-angular version 2.0.0-beta.0.

Error Message

MSAL Configuration

auth: {
    clientId: '{clientId}',
    authority: 'https://login.microsoftonline.com/{tenantId}',
    redirectUri: 'https://localhost:4200/login',
    postLogoutRedirectUri: 'https://localhost:4200',
},
cache: {
    cacheLocation: 'localStorage',
    storeAuthStateInCookie: true
}

Reproduction steps

Close all instances of the browser being used. Open a new browser window, navigate to the web application and login the user. Close the browser instance. Open a new browser window, navigate to the web application and logout the user. No redirect will happen.

Authentication flow in plain JavaScript: Logging in user: Msal.UserAgentApplication.loginRedirect();

After login redirect, acquire access token for call to API: Msal.UserAgentApplication.acquireTokenSilent([api-scope]);

After closing and reopening browser, logout the user: Msal.UserAgentApplication.logout();

Expected behavior

User gets redirected to the page provided in the postLogoutRedirectUri.

Identity Provider

Azure AD
Azure B2C Basic Policy
Azure B2C Custom Policy
ADFS
Other

Browsers/Environment

Chrome
Firefox
Edge
Safari
IE
Other (Please add browser name here)

Regression

Did this behavior work before? Version:

Security

Is this issue security related?

Source

Internal (Microsoft)
Customer request

Issue Analytics

State:
Created 3 years ago
Reactions:1
Comments:8 (1 by maintainers)

Top GitHub Comments

2reactions

tnorlingcommented, Apr 5, 2021

@maartenstelling As mentioned above, AAD has a known behavior where it drops session cookies on browser close, which is likely the cause of this. The presence of these cookies indicates that the user had previously signed in and trusts the application that sent them to AAD and therefore trusts the url they may be redirected back to after sign out. Without these cookies post logout redirection will not occur in order to protect users from potentially being redirected to a malicious url they do not trust.

Since this is not an issue with msal, but rather, known and partially intended behavior on the server there’s nothing we can do to address this at the moment.

A potential workaround, though not ideal, is that you can call ssoSilent on page load or before logging out. If ssoSilent succeeds you can be fairly certain the session cookie exists and proceed with logout. If it fails with an interaction_required error the cookie likely does not exist and you can skip the server signout by providing an onRedirectNavigate callback that returns false. This will clear local msal cache of tokens and user data but will not redirect the app to the AAD logout endpoint (if the session cookie doesn’t exist there’s no reason to go there anyway)

logoutRedirect({
    onRedirectNavigate: () => { return false }
});

2reactions

tnorlingcommented, Mar 18, 2021

@hpsin Even if there’s no user to sign out or there’s no cookie, should that prevent the redirect back to the application? As long as the post_logout_redirect_uri is passed and it matches a redirectUri on the app registration why do we care if AAD removed a cookie or not?