Hello,
I have a Blazor WASM + Maui Blazor project + API project in which I have implemented the login through a Microsoft account. I also use OpenIDDict
The logout process is done by calling the following code:
MAUI Blazor:
NavigationManager.NavigateToLogout("/account/logout");
Blazor Web App:
NavigationManager.NavigateToLogout("/authentication/logout");
In both cases, it logs me out of my application, but it does not log me out of Microsoft Entra. This means that when the users tries to log in again through Microsoft Entra, they're automatically logged back in with the same account.
Should the logout process of Abp.IO also send a logout request to my Microsoft Entra account, or do I need to do some extra steps?
Thanks!
1 Answer(s)
-
0
- Solution
What happens by default:
- NavigationManager.NavigateToLogout(...) signs the user out from your ABP/OpenIddict server and clears the local app session (Blazor WASM/MAUI). It does not automatically sign out from Microsoft Entra ID. After logout, when users start login again, Entra can silently re-authenticate using its active session, so they get back in without picking an account.
Why: OIDC single logout is a separate step. To sign out of the external Identity Provider (Microsoft Entra), the client must call the Entra “end session” (sign-out) endpoint with appropriate parameters. ABP/OpenIddict doesn’t automatically perform an upstream IdP logout. Some IdPs also restrict third-party initiated sign-outs.
What to do:
If you want to also sign out from Microsoft Entra:
- Redirect the user to Entra’s sign-out URL after your app logout completes. Microsoft Entra supports front-channel sign-out via its OIDC end-session request.
- The typical URL pattern (see Microsoft docs) is: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/logout?post_logout_redirect_uri={url-encoded-callback}
- Steps:
- Complete app logout first (NavigateToLogout).
- On the logout callback (Blazor WASM’s /authentication/logout-callback page), navigate to the Entra logout URL above, passing post_logout_redirect_uri back to your app’s public URL (e.g., https://yourapp/authentication/login or a public landing page).
- After Entra clears the session, user is redirected to your post_logout_redirect_uri. Make sure that URI is registered as a logout redirect in your Entra app registration.
- Note: If you use multiple tenants or the common endpoint, adjust {tenant} accordingly.
Example (Blazor WASM override of the Authentication page):
// MyAuthentication.razor @using Microsoft.AspNetCore.Components.WebAssembly.Authentication @using Volo.Abp.DependencyInjection @inherits Volo.Abp.AspNetCore.Components.WebAssembly.LeptonXTheme.Pages.Authentication @attribute [ExposeServices(typeof(Volo.Abp.AspNetCore.Components.WebAssembly.LeptonXTheme.Pages.Authentication))] @attribute [Dependency(ReplaceServices = true)] <RemoteAuthenticatorView Action="@Action" /> // MyAuthentication.razor.cs public partial class MyAuthentication { protected override void OnInitialized() { if (Action == "logout-callback") { // 1) After app logout completes, sign out from Entra too: var postLogout = Uri.EscapeDataString(NavigationManager.BaseUri.TrimEnd('/')); // e.g. https://yourapp/ var tenant = "your-tenant-id-or-common"; var entraLogout = $"https://login.microsoftonline.com/{tenant}/oauth2/v2.0/logout?post_logout_redirect_uri={postLogout}"; NavigationManager.NavigateTo(entraLogout, forceLoad: true); return; } } }Important: - Ensure post_logout_redirect_uri is configured in your Entra app registration. - Use a fully qualified HTTPS URL. - If you want to send users back to login immediately, set post_logout_redirect_uri to your app root (which is [Authorize] protected) or to /authentication/login.- If you cannot or do not want to sign out from Entra (e.g., organizational policy):
- Force account selection on next login by adding prompt=select_account to the authorization request so users can choose a different Entra account even if a session exists.
- In Blazor WASM AddOidcAuthentication, you can append query parameters to the authorization endpoint via ProviderOptions.AdditionalProviderParameters:
builder.Services.AddOidcAuthentication(options => { builder.Configuration.Bind("AuthServer", options.ProviderOptions); options.ProviderOptions.AdditionalProviderParameters.Add("prompt", "select_account"); });- This does not sign out Entra but prevents silent re-login.- For MAUI (if using an embedded OIDC client like IdentityModel.OidcClient):
- After your app logout, also navigate to the Entra logout URL using a browser (via WebAuthenticator or Launcher) with post_logout_redirect_uri back to your custom scheme (if applicable), or a neutral page.
- Ensure your redirect URI/scheme is registered in Entra and in your platform handlers.
- Known ABP notes:
- ABP/OpenIddict handles app-side logout (/account/logout or /authentication/logout and callback) but doesn’t automatically trigger upstream IdP logout. This behavior is consistent with OIDC norms and prior ABP support answers.
- Sources
- Microsoft Entra ID sign-out flow (OpenID Connect):
- https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc
- https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#send-a-sign-out-request
- ABP Support references about external provider logout behavior and Blazor WASM logout customization (indirectly relevant, confirming ABP doesn’t remove the provider’s session automatically):
- https://abp.io/support/questions/2283
- https://abp.io/support/questions/3071
- https://abp.io/support/questions/5976
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
