Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to sign out from Azure AD 2.0/MSAL in a desktop application?

I'm using MSAL in a WPF desktop application that needs to allow users to sign in and out against Azure AD v2.0. Microsoft's Graph access sample and most of the other examples I see use PublicClientApplication.Remove(IUser) to log out, like in this function:

//(from Microsoft's example)

/// <summary>
/// Sign out the current user
/// </summary>
private void SignOutButton_Click(object sender, RoutedEventArgs e)
{
    if (App.PublicClientApp.Users.Any())
    {
        try
        {
            App.PublicClientApp.Remove(App.PublicClientApp.Users.FirstOrDefault());
            this.ResultText.Text = "User has signed-out";
            this.CallGraphButton.Visibility = Visibility.Visible;
            this.SignOutButton.Visibility = Visibility.Collapsed;
        }
        catch (MsalException ex)
        {
            ResultText.Text = $"Error signing-out user: {ex.Message}";
        }
    }
}

From what I can see, it looks like Remove(IUser) deletes MSAL's cache of that user and their tokens, but it doesn't seem like it's actually signing the user out. If I try to log in to my app again, my previous user will show up as "signed in" and clicking will log me in as that user without having to provide credentials again. Logout does not work when using Microsoft Authentication Library (MSAL) makes me think I will need to log out manually, given the current state of MSAL.

I've found a lot of web-app tutorials like this Microsoft one that say a sign-out should involve deleting the app's local record (what it looks like Remove(IUser) is doing), and also redirecting to some variant of

GET https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F

But my app isn't in a web browser, so I'm not sure what to do with that request. How do I really log out while using MSAL?

like image 505
Katja Avatar asked Nov 27 '17 18:11

Katja


People also ask

How do I logout of Msal?

Logging out The logout process for MSAL takes two steps. Clear the MSAL cache. Clear the session on the identity server.

How do you use Azure Active Directory credentials to sign in to a computer that runs Windows 10 the computer must be joined to Azure AD?

Open Settings, go to Accounts and Access work or school and press Connect. Press Join this device to Azure Active Directory. Enter your mail address and press Next, on next screen you have to enter your password. Once you are done with the wizard you should restart your computer.


1 Answers

You are right, the Remove(IUser) method only removes the user from the cache. We have not yet implemented a Signout method, which would, as your write, leverage the logout endpoint. This is something we want to provide in the future. Note that there are two forms of sign-out: sign-out from the app, and signout from the device.

To answer your last question, your WPF app is not a web browser indeed, but it contains an embedded web browser, which keeps a session cookie, that needs to be cleared by sending azure AD a logout request.

like image 57
Jean-Marc Prieur Avatar answered Oct 11 '22 23:10

Jean-Marc Prieur