microsoft-authentication-library-for-js
microsoft-authentication-library-for-js copied to clipboard
AzureAD
postLogoutRedirectUri not working when authority url contains a tenant ID
Core Library
MSAL.js v2 (@azure/msal-browser)
Core Library Version
2.30.0
Wrapper Library
MSAL React (@azure/msal-react)
Wrapper Library Version
1.4.9
Public or Confidential Client?
Public
Description
When I modify the authority value to include the tenant ID (e.g., 'https://login.microsoftonline.com/{your-tenant-id}') and then log out, the browser fails to redirect me back to my application. However, if I use "common" in the URL, the redirect works as expected.
I have also confirmed that the logout URL is properly set in the Azure portal, but the issue persists.
Notably, the issue only occurs when using a tenant-specific authority URL, as it works fine with the default 'https://login.microsoftonline.com/common' URL.
Error Message
No response
Msal Logs
No response
MSAL Configuration
export const msalConfig = {
auth: {
clientId: "{your-client-id}",
authority: 'https://login.microsoftonline.com/{your-tenant-id}',
redirectUri: "/",
postLogoutRedirectUri: "/",
},
cache: {
cacheLocation: "localStorage",
storeAuthStateInCookie: false,
},
};
Relevant Code Snippets
const handleLogout = () =>
instance.logoutRedirect({
postLogoutRedirectUri: '/',
});
Reproduction Steps
- Change the authority to 'https://login.microsoftonline.com/{your-tenant-id}' and log in using your credentials.
- Log out and observe that you are not redirected back to the local host.
- Update the authority to 'https://login.microsoftonline.com/common' and log in again.
- Log out and notice that you are now redirected back to my application.
Expected Behavior
I anticipate that when logging out with the tenant ID in the authority URL, the browser should redirect the user to the application, similar to how it behaves when the authority URL contains "common".
Identity Provider
Azure AD / MSA
Browsers Affected (Select all that apply)
Chrome
Regression
No response
Source
Internal (Microsoft)
Hey @chill0216 ,
Are you seeing any errors in the console when you use the tenant id?
Hey @chill0216 ,
Are you seeing any errors in the console when you use the tenant id?
I am not seeing any errors, no. It just logs me out stays on this screen:
Okay, it seems that you are stuck on the log out page and it isn't redirecting back to your application. Can you try changing your postLogoutRedirectUri to a different uri like '/logout' or '/homepage' in your application? Are you experiencing this in logout popup as well?
I do not think tenantid is causing an issue here. Especially because you are able to login with the same authority uri.
@lalimasharda Yes, I attempted to modify the URI, but it was unsuccessful. I also tried this using the MSAL react sample application in this repo and the same thing happens. It doesn't redirect me back to the application unless authority is https://login.microsoftonline.com/common.
https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/samples/msal-react-samples/react-router-sample
After initiating the logoutPopup, I am logged out within the popup and directed to the "You signed out of your account" page, however, the popup remains open and does not close unless I manually close it.
Were you able to reproduce my issue on your end?
Yes, I did try reproducing it with that sample above with the Microsoft tenant id and it worked for me. Can you please share your verbose msal logs.. maybe I can compare it with mine and see where exactly it is failing?
@lalimasharda By the way, have you tested the application on Chrome? I tested it on Safari earlier and it worked without any issues. Whenever I signed out, it always redirected me back to the application. However, I noticed that when I tried it on Chrome or Firefox, the redirect feature didn't work as expected.
Yes, here are all of the logs that I see when logging out:
[Sat, 11 Mar 2023 19:25:35 GMT] : @azure/[email protected] : Info - Emitting event: msal:logoutStart
VM30:16943
[Sat, 11 Mar 2023 19:25:35 GMT] : @azure/[email protected] : Info - MsalProvider - msal:logoutStart results in setting inProgress from none to logout
VM30:16943
[Sat, 11 Mar 2023 19:25:35 GMT] : @azure/[email protected] : Info - Emitting event: msal:logoutSuccess
@chill0216 I have a very similar issue on the angular version. Mine works in Safari but not in chrome or Firefox. I have recently discovered if I create a new user in AD and login using that new user it redirects correctly but does not if using the main admin AD user or external users such as a gmail account that was invited.
The other way it works is if I am in incognito mode or set third party cookies to be blocked in non incognito mode.
I’m curious if you have the same outcome?
Hey @benaguitar, I had the exact same issue as you! I just made a new user in AD, logged in, and then logged out and was redirected back to the app correctly. It just doesn't work for the primary admin user and external users.
@lalimasharda, looks like this same bug occurs for both @benaguitar and I.
Hey @sameerag , let me know if you can help us resolve this issue. Thanks
@chill0216 To summarize, AAD users work, guest users are not redirected. Correct? What do you mean by primary admin user?
@sameerag Sorry, by primary user I mean the user account that I used to create the Azure account (screenshot 1 - [email protected]). This user account does not get redirected back to the app after logging out. However, the “Delete” user (screenshot 2) that I created by selecting “New User” > “Create new user” does get redirected back to the app after logging out.
Screenshot 1
Screenshot 2
@chill0216 Can you share the requests for both cases when you logout? I want to check the value of postLogoutUri in the STS request for both the cases.
e.g.,
https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https%3A%2F%2Flocalhost%2Fmyapp%2Flogout%2F%3F&client_id=<..
@sameerag For [email protected], it is https://login.microsoftonline.com/37ac774b-b8b2-4d6a-bb92-92dbfb5fdf77/oauth2/v2.0/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A4200%2F&client-request-id=cc0567cc-2c3e-4e80-ae6d-12cb12a5a093 (Doesn't redirect)
For [email protected], it is https://login.microsoftonline.com/37ac774b-b8b2-4d6a-bb92-92dbfb5fdf77/oauth2/v2.0/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A4200%2F&client-request-id=ab8c1033-f4d7-4354-8c78-bda9f8709108 (Does redirect)
@chill0216 This could be a service issue or you may be having a session in one case and do not in another (in which case STS deems this is not a safe route to redirect and does not redirect). To know what is what, can you please share the fiddler trace for both cases? You can send them to my email (which is in my profile).
@sameerag Sent the Fiddler trace for both. Let me know if you need me to send it in a different format
Thanks @chill0216 for the logs. @konstantin-msft is checking them, one of us will reach out once we have some info.
Thank a lot!
On Thu, Mar 23, 2023 at 12:05 AM Sameera Gajjarapu @.***> wrote:
Thanks @chill0216 https://github.com/chill0216 for the logs. @konstantin-msft https://github.com/konstantin-msft is checking them, one of us will reach out once we have some info.
— Reply to this email directly, view it on GitHub https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/5783#issuecomment-1480572766, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB2A5OYDWMGKDM4RDFHYRIDW5PD2FANCNFSM6AAAAAAVV4YTV4 . You are receiving this because you were mentioned.Message ID: <AzureAD/microsoft-authentication-library-for-js/issues/5783/1480572766@ github.com>
This issue requires attention from the MSAL.js team and has not seen activity in 5 days. @hectormmg please follow up.
Your logs show that the post logout redirection did not occur because there was no session found to log out of. This can happen if the tenant the user is signed into is different from the tenant you are attempting to sign out of, as would be the case for external users. Is there a reason you don't want to use the /common endpoint? That's what we would normally recommend using in all cases, including in cases where you signed in to a specific tenant.
@tnorling Hmm, what would be the case for the user account that I used to create the Azure account not redirecting back to the login page? This is not an external user.
Also, I have tried https://login.microsoftonline.com/common as the authority, but I get an "invalid request" error message:
errors: ["invalid_request", "invalid_request", "invalid_request"]. I don't think I can use /common since this is a single-tenant app. Is that correct?
The fiddler trace you shared before just had the logout request and errored out due to there not being an existing session. If you can send me a fiddler trace showing both a login and the subsequent failed logout with a non-external user I can share it with our server teams and see if they know what's going on.
@tnorling I sent over the logs to your email. Let me know if you need anything else.
I responded over email with a few additional questions, please take a moment to answer those questions when you can. Thanks!
@tnorling Ok, I will get a response to those questions over to you today.
@chill0216 This issue has been automatically marked as stale because it is marked as requiring author feedback but has not had any activity for 5 days. If your issue has been resolved please let us know by closing the issue. If your issue has not been resolved please leave a comment to keep this open. It will be closed automatically in 7 days if it remains stale.
Hey, @tnorling, I'm planning to send you an email to provide a more detailed explanation of the issue I'm currently experiencing. Additionally, I'll include a screen recording to help illustrate the problem.