OWIN - Authentication.SignOut() doesn't remove cookies

Question

I have a MVC Web App in Azure with AD authentication. When I run the website locally, it signs in and out just fine, using Azure AD. But the signout on my deployed Azure website does not work. The user remains authenticated, so the SignOutCallback action always redirects to Home/Index.

This is out-of-the-box code that was created when I created the project.

public class AccountController : Controller
{
    /// <summary>
    /// Use this method to sign into the website
    /// </summary>
    public void SignIn()
    {
        // Send an OpenID Connect sign-in request.
        if (!Request.IsAuthenticated)
        {
            HttpContext.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = "/" },
                OpenIdConnectAuthenticationDefaults.AuthenticationType);
        }
    }

    /// <summary>
    /// Use this method to sign out of the website
    /// </summary>
    public void SignOut()
    {
        string callbackUrl = Url.Action("SignOutCallback", "Account", routeValues: null, protocol: Request.Url.Scheme);

        Request.GetOwinContext().Authentication.SignOut(
            new AuthenticationProperties { RedirectUri = callbackUrl },
            OpenIdConnectAuthenticationDefaults.AuthenticationType,
            CookieAuthenticationDefaults.AuthenticationType);
    }

    /// <summary>
    /// Use this method to redirect to Home page, once the request has been authenticated
    /// </summary>
    /// <returns>An <see cref="ActionResult"/> object.</returns>
    public ActionResult SignOutCallback()
    {
        if (Request.IsAuthenticated)
        {
            // Redirect to home page if the user is authenticated.
            return RedirectToAction("Index", "Home");
        }

        return View();
    }
}

I found a post here with similar issues and have tried what it suggested but it did not work for me.

Has anyone else ran into this issue?

Answer 1

I have figured out what the issue is. The out-of-the-box MVC Web App in Azure with AD authentication that I created uses AspNet cookies. Which the GetOwinContext().Authentication.SignOut clears. And this was working fine for me on localhost. The issue arose when I deployed it to Azure and then configured the website in the new Azure portal, to use AD authentication. It appears to convert the website into a Azure App Service. Now the cookies are AppServiceAuthSession cookies - no longer the AspNet cookies. Thus, the logout no longer works.

Here is the response from the Microsoft rep that I worked with on this:

I did some more research around this, and spoke with both the Azure AD teams and Azure Websites teams. Apparently that new portal setting takes care of all the auth components for you. So really you have two approaches to setting up Auzre AD auth against your website. You can do it through code like you see in that Out of the Box ASP.NET MVC project, where you have access to the AccountController.

Or the other approach is to just let Azure handle it for you by enabling that setting in the new Azure portal. When you let the new Azure portal do it then it uses a different session cookie name and different logout logic. It appears that automatic auth doesn’t play well with the coded logout logic.

So your workaround is correct. You basically have two workarounds here to get an MVC app up and running that supports Azure AD authentication:

1. Create MVC app that supports AAD auth through code. Manually add application to that Azure AD tenant Applications list to setup the trust. Handle login/logout through code in your MVC app
2. Create an MVC app that doesn’t have any auth logic. Configure it to support Azure AD auth through the new portal. Add some specific links for logging in and logging out. For this second scenario I recommend you pull down and play with the sample here: https://github.com/btardif/Websites-Authentication-Authorization. That sample you can see supports a Sign Out link, but it taps into the new Authentication/Authorization settings in that new portal. Deploy that sample to new website, enable Auth settings in the new portal, and you’ll see the signout works and properly deletes those auth session cookies correctly.