How to sign out from Azure AD 2.0/MSAL in a desktop application?

Question

I'm using MSAL in a WPF desktop application that needs to allow users to sign in and out against Azure AD v2.0. Microsoft's Graph access sample and most of the other examples I see use PublicClientApplication.Remove(IUser) to log out, like in this function:

//(from Microsoft's example)

/// <summary>
/// Sign out the current user
/// </summary>
private void SignOutButton_Click(object sender, RoutedEventArgs e)
{
    if (App.PublicClientApp.Users.Any())
    {
        try
        {
            App.PublicClientApp.Remove(App.PublicClientApp.Users.FirstOrDefault());
            this.ResultText.Text = "User has signed-out";
            this.CallGraphButton.Visibility = Visibility.Visible;
            this.SignOutButton.Visibility = Visibility.Collapsed;
        }
        catch (MsalException ex)
        {
            ResultText.Text = $"Error signing-out user: {ex.Message}";
        }
    }
}

From what I can see, it looks like Remove(IUser) deletes MSAL's cache of that user and their tokens, but it doesn't seem like it's actually signing the user out. If I try to log in to my app again, my previous user will show up as "signed in" and clicking will log me in as that user without having to provide credentials again. Logout does not work when using Microsoft Authentication Library (MSAL) makes me think I will need to log out manually, given the current state of MSAL.

I've found a lot of web-app tutorials like this Microsoft one that say a sign-out should involve deleting the app's local record (what it looks like Remove(IUser) is doing), and also redirecting to some variant of

GET https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F

But my app isn't in a web browser, so I'm not sure what to do with that request. How do I really log out while using MSAL?

Answer 1

You are right, the Remove(IUser) method only removes the user from the cache. We have not yet implemented a Signout method, which would, as your write, leverage the logout endpoint. This is something we want to provide in the future. Note that there are two forms of sign-out: sign-out from the app, and signout from the device.

To answer your last question, your WPF app is not a web browser indeed, but it contains an embedded web browser, which keeps a session cookie, that needs to be cleared by sending azure AD a logout request.