Azure AD B2C logout after session timeout
UPDATE 04-09-2020:The information below is deprecated. Please take note of the notice by Microsoft:
After hearing from customers during the preview, we've implemented authentication session management capabilities in Azure AD Conditional Access. You can use this new feature to configure refresh token lifetimes by setting sign in frequency. After May 30, 2020 no new tenant will be able to use Configurable Token Lifetime policy to configure session and refresh tokens. The deprecation will happen within several months after that, which means that we will stop honoring existing session and refresh tokens polices. You can still configure access token lifetimes after the deprecation.
I believe that it may be possible to utilize the "User Signin Frequency" setting now thanks to the fact the "Persistance for Browser Sessions" is now properly done. Sadly I cannot test this so if anyone can confirm please describe in a new answer to this question how you've successfully managed this issue and I'll change the answer and direct this message to your answer.
OLD INFORMATION:
So after a few weeks of cooperation with the Microsoft Support team we finally have a closing answer and definite solution:
You are using a sign in policy. For legacy reasons, when you make a call to the /authorize endpoint for a “Sign in policy”, you first hit the Azure AD B2C service, and then immediately get rerouted to the Azure AD service. The field for username/password is then actually displayed by the Azure AD service (and not by Azure AD B2C). Once you enter a valid username/password, Azure AD stores a cookie on the client machine for SSO reasons, redirects the client back to Azure AD B2C, which then mints a token and returns a B2C token to the application, along with storing its own cookies for SSO reasons. In other words, Azure AD B2C federates to Azure AD for the sign in, and both Azure AD and Azure AD B2C have cookies of their own to maintain SSO.
Now when you call logout to Azure AD B2C or when Azure AD B2C’s session expires, Azure AD B2C does its thing to close the session, which is to delete the cookies. However, it does not delete the Azure AD cookies. Which means that when you sign in again, Azure AD B2C recognizes that you’re not signed in, and calls Azure AD. Because Azure AD has cookies planted or Azure AD’s session is not expired, it SSO’s the user and the user does not need to enter the username/password again (which is the exact behavior you do not want).
To work around this for right now, please also call the logout endpoint for Azure AD after you call the logout endpoint for Azure AD B2C. The logout endpoint for Azure AD is the same as the logout endpoint for Azure AD B2C, but without the policy in the URL. For session expiry, you will need to also limit the session timeout for Azure AD.
We are working on a sign-in policy (currently in private preview) that do not take a dependency on Azure AD. We are also looking into fixing the behavior for the original Sign in policies.
The solution to my question was indeed to limit the session timeout of Azure AD itself using policies that dictate token lifetimes. Here's the policy I set to expire in general all session on the tenant to 15 minutes (which was our desire, read the article if you want to set this policy only for specific applications etc)
Connect-AzureADNew-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1, "MaxAgeSessionSingleFactor":"0.00:15:00","MaxAgeSessionMultiFactor":"0.00:15:00"}}') -DisplayName "TokenLifetimeDefaultPolicy" -IsOrganizationDefault $true -Type "TokenLifetimePolicy"Disconnect-AzureADThanks to Microsoft Support.
Purpose is setup an inactive user's session timeout after 15 mins of inactivity.We have two web apps running on local IIS (it should/must behave same in ms azure cloud)
No.1 MVC web application (here we need inactive user's timeout to be happen after 15 mins)
No.2 MVC rest api
What we have to do create a new policy and assign to a Service principal object.
Please use below mentioned steps 1-6.
1.Download the latest Azure AD PowerShell Module Public Preview release.
2.Run the Connect command to sign in to your Azure AD admin account. Run this command each time you start a new session.Connect-AzureAD -Confirm
- Create new policyNew-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1, "AccessTokenLifetime":"00:15:00","MaxInactiveTime":"00:15:00","MaxAgeSingleFactor":"01:00:00", "MaxAgeSessionSingleFactor":"01:00:00"}}') -DisplayName "KBTokenLifetimePolicy" -IsOrganizationDefault $true -Type "TokenLifetimePolicy"
4.Find desired Azure AD B2C - Applications (Service principal object) ObjectIdGet-AzureADServicePrincipal -Filter "DisplayName eq 'MultitenentPortal'"ObjectId AppId DisplayName
5.List polices and get ObjectId for KBTokenLifetimePolicy policyGet-AzureADPolicyId DisplayName Type IsOrganizationDefault– ----------- ---- ---------------------
6.To add policy to web Azure AD B2C - Applications(Service principal object) :Add-AzureADServicePrincipalPolicy -Id -RefObjectId
Result : so far application doest not timeout. after 15 mins inactive period it still continue to navigate between pages and show data from api.