Secure Logout redirect in Azure AD B2C for Blazor application

Introduction

This article explores how to implement a secure and user-friendly logout redirect mechanism in a Blazor application integrated with Azure AD B2C. We will walk through the importance of logout redirection, configuring the correct endpoints in Azure AD B2C, and handling the client-side logic in your Blazor app to ensure users are securely redirected to the intended page after signing out.

This is a continuation of my previous article on Handling Azure AD B2C claims in the Blazor web application.

Configure redirect URI

After logout, the user is redirected to the URI specified in the post_logout_redirect_uri parameter, regardless of the application's configured reply to URLs. However, if a valid id_token_hint is included in the request and the "Require ID Token in logout requests" setting is enabled, Azure AD B2C validates that the post_logout_redirect_uri matches one of the application's configured redirects URIs before proceeding with the redirection. If no matching redirect URI is found in the application's configuration, an error is displayed, and the user is not redirected.

Let’s experiment it

Login to Azure portal and hop into B2C tenant

Select the user flow, in my case it is B2C_1_SignIn_SignUp_Demo

Go to properties and set Require ID Token in logout requests to Yes from the session behavior section

Now Run your Blazor application, log-in and logout, based on the session behavior the id_token_hint has been included in the request but the post_logout_redirect_uri is not configured in the application as a result you will get the below exception message.

Configure the post_logout_redirect_uri as one of the redirects URIs for the application.

Go the application registration find the application, select the redirect URI from Manage section and add the redirect URI, in my case the index page is my post_logout_redirect_uri, so I added https://localhost:7120/ as the redirect URI.

Wait for some time and run the application to test, because of the latency in Azure AD B2C, it may take some time to reflect

Summary

We have seen how to set up Azure AD B2C to handle logout requests securely and configuring the Blazor application to manage post-logout redirection effectively. By following these practices, we can ensure that users are properly logged out and redirected to appropriate destinations, enhancing the overall security and usability of the application.