{"id":8711,"date":"2022-03-16T17:29:59","date_gmt":"2022-03-16T17:29:59","guid":{"rendered":"https:\/\/blogs.aaddevsup.xyz\/?p=8711"},"modified":"2023-03-06T16:40:31","modified_gmt":"2023-03-06T16:40:31","slug":"how-to-logout-of-an-oauth2-application-without-getting-prompted-to-select-a-user","status":"publish","type":"post","link":"https:\/\/blogs.aaddevsup.xyz\/2022\/03\/how-to-logout-of-an-oauth2-application-without-getting-prompted-to-select-a-user\/","title":{"rendered":"How to logout of an OAuth2 application without getting prompted to select a user"},"content":{"rendered":"\n

By default, when you sign out of Azure Active Directory when using a Open ID Connect\/OAuth2 application, you will be prompted to select a user account to sign out of, even if there is only one user account to select.<\/p>\n\n\n\n

To work around this behavior, there are 3 requirements:<\/p>\n\n\n\n

Step (1): Add the optional claim for the login_hint<\/h1>\n\n\n\n

Add the login_hint optional claim to the id token in the App Registration blade<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

For more information about adding optional claims:<\/p>\n\n\n\n

https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/active-directory-optional-claims<\/a><\/p>\n\n\n\n

Step (2): Ensure “profile” and “openid” openid connect scopes are in the original sign-in request<\/h1>\n\n\n\n

If your using the Authorization code flow…<\/strong><\/p>\n\n\n\n

When the sign-in request is sent, make sure both “openid” and “profile” is listed in the scope. For example:<\/p>\n\n\n\n

\n

https:\/\/login.microsoftonline.com\/contoso.onmicrosoft.com\/oauth2\/v2.0\/authorize?<\/a>response_type=code<\/strong>&client_id=83258bc7-b7fd-4627-ae9b-e3bd5d550572&scope=openid<\/strong>+user.read+profile<\/strong>&redirect_uri=https:\/\/login.microsoftonline.com\/common\/oauth2\/nativeclient<\/p>\n<\/blockquote>\n\n\n\n

During the token endpoint call, when you acquire a access token, an id_token is also returned. <\/p>\n\n\n\n

If your using the implicit flow (not recommended)…<\/strong><\/p>\n\n\n\n

\n

https:\/\/login.microsoftonline.com\/contoso.onmicrosoft.com\/oauth2\/v2.0\/authorize?<\/a>response_type=id_token<\/strong>&client_id=83258bc7-b7fd-4627-ae9b-e3bd5d550572&scope=openid<\/strong>+user.read+profile<\/strong>&redirect_uri=https:\/\/login.microsoftonline.com\/common\/oauth2\/nativeclient<\/p>\n<\/blockquote>\n\n\n\n

After sign-in, when Azure AD redirects back to your application, the id_token will be returned.<\/p>\n\n\n\n

On the returned id_token…<\/strong><\/p>\n\n\n\n

The login_hint claim will be returned in the id_token and will look similar to:<\/p>\n\n\n\n

O.CiQ0M2E1NDg4Yy05ZGU2LTQyZTUtYWJkZS0zY2IzNGU4ZjBlZGMSJGFhMDBkMWZhLTUyNjktNGUxYy1iMDZkLTMwODY4Mzc\u2026<\/span><\/p>\n\n\n\n

Step (3): Logout request<\/h1>\n\n\n\n

When sending the logout request, pass a logout_hint parameter where login_hint is the value:<\/p>\n\n\n\n

\n

https:\/\/login.microsoftonline.com\/williamfiddes.onmicrosoft.com\/oauth2\/v2.0\/logout?post_logout_redirect_uri=https:\/\/login.microsoftonline.com\/common\/oauth2\/nativeclient<\/span><\/a>&logout_hint=O.CiQ0M2E1NDg4Yy05ZGU2LTQyZTUtYWJkZS0zY2IzNGU4ZjBlZGMSJGFhMDBkMWZhLTUyNjktNGUxYy1iMDZkLTMwODY4Mzc\u2026
<\/span><\/p>\n<\/blockquote>\n\n\n\n

More Information<\/h1>\n\n\n\n

When using MSAL.js, the code will look like this (MSAL.js will auto send the logout_hint if detected when you send a EndSessionRequest with the account)<\/p>\n\n\n\n

\n
\n
logout() {\n    var account = this.authService.instance.getAllAccounts()[0];\n    let logoutRequest:EndSessionRequest = {\n      account: account\n    };\n \n    this.authService.logout(logoutRequest);\n  }\n<\/pre>\n<\/div><\/div>\n<\/div><\/div>\n\n\n\n

When using Microsoft Identity Web or AspNet (Core) OpenIdConnect Authentication<\/p>\n\n\n\n

services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>\n\n{\n\n  \/\/ Custom code here.\n  options.Events.OnRedirectToIdentityProviderForSignOut = (context) =>\n\n  {\n\n    var login_hint = context.HttpContext.User.Claims.Where(c => c.Type == \"login_hint\").FirstOrDefault();\n\n    if (login_hint != null)\n\n    {\n\n      context.ProtocolMessage.SetParameter(\"logout_hint\", login_hint.Value);\n\n    };\n\n    return Task.FromResult(true);\n\n  };\n\n});<\/pre>\n","protected":false},"excerpt":{"rendered":"

By default, when you sign out of Azure Active Directory when using a Open ID Connect\/OAuth2 application, you will be prompted to select a user account to sign out of, even if there is only one user account to select. To work around this behavior, there are 3 requirements: Step (1): Add the optional claim for the login_hint Add the login_hint optional claim to the id token in the App…<\/p>\n","protected":false},"author":12,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,5,261],"tags":[17,263,264,158],"class_list":["post-8711","post","type-post","status-publish","format-standard","hentry","category-authentication","category-azure-ad","category-logout","tag-aad","tag-logout","tag-oauth2","tag-oidc"],"_links":{"self":[{"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/posts\/8711"}],"collection":[{"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/comments?post=8711"}],"version-history":[{"count":6,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/posts\/8711\/revisions"}],"predecessor-version":[{"id":9275,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/posts\/8711\/revisions\/9275"}],"wp:attachment":[{"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/media?parent=8711"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/categories?post=8711"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/tags?post=8711"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}