Blazor Server Allows System Use After Logout
We have a Blazor server app that uses AzureAD for authentication purposes:
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"));
We are happy that this works as expected.
The issue comes when logging out, which do with this:
NavManager.NavigateTo("MicrosoftIdentity/Account/SignOut", forceLoad: true, replace:true);
The user is then redirected by Blazor to the following page:
MicrosoftIdentity/Account/SignedOut
If we close the browser at this point, everything is fine and the user has to login again. The issue comes when the user does not close the browser and then navigates back to any page in the app, the navigation is successful and they do not have to login again.
I'm guessing that in some situations this is preferred, but for us, once logged out, they must re-enter their credentials to get back in. Does anyone know what I need to do to force this, there is lots of stuff around httpContext etc, but with Blazor server I do not have access to this.
Thanks
Chris
As sometimes happens I stumbled upon the answer soon after asking the question. Turns out the code was fine, the issue was to do with how we configure the user flow in Azure B2C.
Changing the user flow session behaviour from Application to policy signs the user out and requires them to logon again if they go back to the app without closing the browser.
- How to find the delay when I reset a password using Microsoft's Graph API?
- Outlook calendar don't render with FullCalendar
- Azure Remove User Consent to API
- Production slot not using Production as ASPNETCORE_ENVIRONMENT variable
- Microsoft Identity Web: Change Redirect Uri
- Authenticating to Azure application with JMeter
- How do I solve audience (aud) invalid claim error for downstream api service?
- invalid_request: The provided value for the input parameter 'redirect_uri' is not valid
- I am getting an error that OAuth2 Code has already been redeemed
- Generating token for Fabric Rest api using client secret
- Authenticate to SQL Server with Azure app service managed identity through group
- Why is my Azure AD token request returning HTTP 400 consent error for API permissions that have been granted?
- How to set Azure MSAL SSO for my Nextjs14 app using Approuter and next-auth
- Unable to Connect to Azure PostgreSQL Database via Point-to-Site VPN with Azure Active Directory on macOS
- How do I retrieve the service principal password after creation using the azure cli?
- Cannot create Azure B2C Tenant
- Accessing Graph API from multi tenant App Function via identity
- My Azure AD B2C User Flow is not returning a token on jwt.ms
- AADSTS65001: The user or administrator has not consented to use the application with ID <app-id>
- AccountEnabled user property from Azure AD returning null
- Azure B2C user flow without an email
- How to use Azure Data Factory to take Business Central data and put into Azure SQL DB?
- Triggering a PowerAutomate desktop flow, using apis, fails due to access issues
- Azure - should the creator of a resource have owner rights?
- Scope is not being added to Access Token returned from Azure Ad
- The required field 'nonce' is missing from the credential. Ensure that you have all the necessary parameters for the login request. [Azure Open ID]
- Exchanging azure AD token with Identity server token
- Website authenticating users against AAD: can the OpenId document be provided offline to the consuming website?
- how to limit code verification email Spaming in Azure B2C
- Custom Claims in a Multitenant Microsoft Entra App