azurerazorazure-static-web-appazure-static-web-app-routing

Azure Web Apps + Active Directory B2C. Logout operation keeps me still as logged in


I've implemented a really simple Razor Webassembly application and used Azure Active Directory B2C as source of truth for authenticate and authorize user.

When I type the StaticWebApp url in my browser, I'm redirected to the login page as expected and here I type my user name and password. Once the login is successfull, the index page of my app is shown and I can see my email as logged user.. So far so good.. But, then when I click the Logout button, I'm redirected to the login page as expected but I'm not actually logged out because if I visit the page again, I see myself as logged again without performing any further login operation.

This is my staticwebapp.config.json file

{
    "responseOverrides": 
    {
        "401": 
        {
            "statusCode": 302,
            "redirect": "/.auth/login/aadb2c"
        }
    },
    "routes":[
        {
          "route": "/.auth/login/aadb2c",
          "allowedRoles": [ "anonymous" ]
        },
        {
          "route": "/.auth/login/aad",
          "allowedRoles": [ "anonymous", "authenticated" ],
          "statusCode": 404
        },
        {
          "route": "/.auth/login/apple",
          "allowedRoles": [ "anonymous", "authenticated" ],
          "statusCode": 404
        },
        {
          "route": "/.auth/login/facebook",
          "allowedRoles": [ "anonymous", "authenticated" ],
          "statusCode": 404
        },
        {
          "route": "/.auth/login/github",
          "allowedRoles": [ "anonymous", "authenticated" ],
          "statusCode": 404
        },
        {
          "route": "/.auth/login/google",
          "allowedRoles": [ "anonyous", "authenticated" ],
          "statusCode": 404
        },
        {
          "route": "/.auth/login/twitter",
          "allowedRoles": [ "anonymous", "authenticated" ],
          "statusCode": 404
        },
        {
          "route": "/login*",
          "allowedRoles": [ "anonymous" ],
          "rewrite": "/.auth/login/aadb2c"
        },
        {
          "route": "/logout*",
          "allowedRoles": [ "authenticated" ],
          "rewrite": "/.auth/logout"
        },
        {
          "route": "/.auth/me",
          "allowedRoles": ["authenticated","anonymous"]
        },
    ],
    "auth": 
    {
        "identityProviders": 
        {
            "customOpenIdConnectProviders": 
            {
                "aadb2c": 
                {
                    "registration": 
                    {
                        "clientIdSettingName": "AADB2C_PROVIDER_CLIENT_ID",
                        "clientCredential": 
                        {
                            "clientSecretSettingName": "AADB2C_PROVIDER_CLIENT_SECRET"
                        },
                        "openIdConnectConfiguration": 
                        {
                            "wellKnownOpenIdConfiguration": "https://{tenantId}.b2clogin.com/
                              {tenantId}.onmicrosoft.com/v2.0/.well-known/
                                 openid-configuration?p={userFlowName}"
                        }
                    },
                    "login": 
                    {
                        "nameClaimType": "emails",
                        "scopes": ["openid"]
                    }
                }
            }
        }   
    }
}

and here is the LoginDisplay razor component which I show in the home page:

<AuthorizeView>
    <Authorized>
        Hello @context.User?.Identity?.Name!
        <a href="/logout">Log out</a>
    </Authorized>
    <NotAuthorized>
        <a href="/login">Log in</a>
    </NotAuthorized>
</AuthorizeView>

What am I missing?

EDIT: other info that may be useful.


Solution

  • It seems that people just implement login functionality in their application and forget about logout :)

    I fixed this issue modifying the route rules. The user must be logged-out from your authentication provider as well.