api-management-developer-portal icon indicating copy to clipboard operation
api-management-developer-portal copied to clipboard

Published 20 hours ago verified publisher icon Azure

API Management developer portal logout mechanism not revoking B2C token

Open chytanyapua opened this issue 2 years ago • 2 comments

Bug description

In developer portal when B2C User is Sing-Out, Portal not revoking Token. After sign-out, user still able to make valid requests using same idToken/sharedAccessSignature Token value and get new access tokens from Azure B2C.

Reproduction steps

  1. Sign-out from portal.
  2. User previous "auth" cookie as header make valid calls.
  3. calling GET /token request. we can get token.
  4. further using Authorization header you make different calls to portal and get data.

Expected behavior

Logout functionality should allow users to manually log out of the application and should terminate their authenticated session upon logout, immediately removing all access to protected resources from that session, including established sessions for back-end APIs.

Is your portal managed or self-hosted?

Managed.

Additional context

Add any other context about the problem here, including screenshots.

chytanyapua avatar Oct 11 '22 12:10 chytanyapua

@chytanyapua, thank you for opening this issue. We will triage it within the next few business days.

ghost avatar Oct 11 '22 12:10 ghost

Hi @chytanyapua , Thanks for reaching out. I confirm the issue and we will take a look to fix this. :)

harunrst avatar Oct 12 '22 10:10 harunrst

Hi @harunrst, This is identified as a security vulnerability. Could you please let us know, when we can except a fix for this?

Also, Could you please if there is any option/reference to fix this using custom widget by calling B2C logout endpoint?

chytanyapua avatar Oct 18 '22 15:10 chytanyapua

Hi @chytanyapua , We have started working on the fix, it will roll out in the first quarter of next year. And about any workaround, unfortunately, no other way.

harunrst avatar Oct 23 '22 15:10 harunrst

Hi @harunrst,

Is there any update on this?

andremarques023 avatar Mar 29 '23 21:03 andremarques023

This issue is related to managed developer portal. We advise you to create a Azure support request to get assistance on this issue. Please refer to the below link to create a new Azure support request, Please select Problem Type = "Developer Portal" in the request to route it appropriately.

https://learn.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request

mrcarlosdev avatar Mar 29 '24 17:03 mrcarlosdev