Logout_hint parameter not being added to AAD identity provider logout URL in B2C custom policy

Question

I am trying to add a logout_hint parameter to the logout URL for a B2B identity provider in an Azure AD B2C custom policy.

I have verified that the login_hint parameter is being added correctly to the user's token claims, and have checked that the claims transformation is correctly referenced in the technical profile(s). I can see from the network traffic that a logout request is being sent when the user signs out. However, the logout_hint parameter is not being added to the identity provider logout URL when a user signs out.

Is there something else that I need to do in order to ensure that the logout_hint parameter is added to the identity provider logout URL?

It's not a problem to get the login_hint from the token. And it's not a problem to add a logout_hint to the link when logout. But this parameter (logout_hint) will be added only to the logout b2c link. In b2c policy, I added functionality for single sign-out.

And when the user logs out of b2c, a logout request from the federated identity provider (https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/logout) is sent in the background, but the user is not logged out of this federated identity provider. If the user simply opens the link https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/logout in the browser, the user will need to select an account for the logout. But if the user follows the link https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/logout?logout_hint={login_hint} - he will be logged out of the federated identity provider.

Accordingly, I need to somehow make sure that the logout_hint parameter is added to the logout link from the federated identity provider when the user logs out from b2c and a logout request from the federated identity provider is sent in the background.

So, my goal is to log a user out of the federated IDP when the user logs out of the application.

Answer 1

Thank your for posting your query. To add logout_hint you can extract the login_hint claim in your app and set it as the logoutHint in the logout request:

There are two ways to achieve a promptless logout:

const currentAccount = msalInstance.getAccountByHomeId(homeAccountId);

// Extract login hint to use as logout hint
const logoutHint = currentAccount.idTokenClaims.login_hint;
await msalInstance.logoutPopup({ logoutHint: logoutHint });

OR

const currentAccount = msalInstance.getAccountByHomeId(homeAccountId);
// The account's ID Token must contain the login_hint optional claim to avoid the account picker
await msalInstance.logoutRedirect({ account: currentAccount});

Note: Depending on the API you choose (redirect/popup), the app will still redirect or open a popup to terminate the server session. The difference is that the user will not see or have to interact with the server's account picker prompt.

Thanks

Answer 2

All docs have the same thing, "might no sign". I am stuck due the same issue. I'm able to extract the login_hint from a federated AAD in a b2c custom policy, then I put it in the msal logout request as a logout_hint property.It is sent to the b2c logout endpoint. But then the b2c logout endpoint returns javascript instructions to open an iframe to call the AAD logout endpoint 'https://login.microsoftonline.com/common/oauth2/v2.0/logout' without the logout_hint parameter.

Inspecting the javascript code returned by b2c, it calls a 'frameLoader' function, but it has a null in the fields parameter.

$.when(
frameLoader('https://login.microsoftonline.com/common/oauth2/v2.0/logout', 'GET', null) ).then(function () {

Support for AAD v2.0 logout_hint parameter according to some microsoft employees was in a test phase last year. Maybe it is supported now.

Also support in msal for the logout_hint parameter was recently released.

As for b2c logout_hint parameter support, there is not any documentation about the logout_hint parameter.

Its a real shame that logout_hint is supported by msal and aad, but not for b2c.