Not able to log out of Request Tracker after Oauth2 - Azure AD for B2C

None of the users are able to logout after integrating with OAuth2 using Azure AD for B2C. I know there were few older topics raised agains these issues (example: How to customize/redirect default Logout Page?) , but none of them provide a working solution.

Logout from Request Tracker ==> redirects to Logout.html ==> after few seconds logs in automatically after redirecting to Request Tracker home page.

I want to know, is it possible to explicity call Azure AD for B2C logout link whenever user clicks on Logout ?

Here is my Apache rt-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>

    # OIDC settings
    OIDCProviderMetadataURL "https://dummy.b2clogin.com/dummy.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1A_SIGNUP_SIGNIN&prompt=login"
    OIDCRedirectURI "https://crm.dummy.com/login"
    OIDCClientID "7502e655-b540-4448"
    OIDCClientSecret ".Ka8Q~LDxQPPn9t4Psl-4"
    OIDCCryptoPassphrase "procreawashstand"
    OIDCRemoteUserClaim signInNames.emailAddress
    OIDCStateMaxNumberOfCookies 7 true
	OIDCResponseType id_token
	OIDCScope "openid profile email"
	OIDCClientJwksUri "https://dummy.b2clogin.com/dummy.onmicrosoft.com/discovery/v2.0/keys?p=B2C_1A_SIGNUP_SIGNIN"
	#OIDCOAuthAcceptTokenAs post
	#OIDCPassUserInfoAs "claims"
	OIDCCookieDomain "crm.dummy.com"
	OIDCDefaultLoggedOutURL "https://crm.dummy.com/?prompt=login"
	OIDCProviderEndSessionEndpoint "https://dummy.b2clogin.com/dummy.onmicrosoft.com/oauth2/v2.0/logout?p=B2C_1A_SIGNUP_SIGNIN&post_logout_redirect_uri=https://crm.dummy.com/?prompt=login"
	#OIDCSessionType client-cookie:persistent
	#OIDCSessionCacheFallbackToCookie On
	OIDCProviderUserInfoEndpoint "https://dummy.b2clogin.com/dummy.onmicrosoft.com/openid/v2.0/userinfo?p=b2c_1a_signup_signin"
	#OIDCRedirectURLsAllowed ^https://crm\.dummy\.com/logout$ ^https://dummy\.b2clogin\.com/dummy.onmicrosoft.com/oauth2/v2.0/logout\?p=B2C_1A_SIGNUP_SIGNIN\&post_logout_redirect_uri=https://crm\.dummy\.com/?prompt=login$
	#OIDCLogoutXFrameOptions: allow-from https://dummy.b2clogin.com/ https://crm.dummy.com
    # END OIDC settings

    AddDefaultCharset UTF-8
    ScriptAlias / /opt/rt5/sbin/rt-server.fcgi/
    DocumentRoot "/opt/rt5/share/html"

    <Location />
        #Require all granted
		#OIDC Settings
        SSLRequireSSL
        SSLOptions +StdEnvVars
        AuthType openid-connect
        Require valid-user
        AllowOverride Authconfig Limit
        Order allow,deny
        Allow from all
        # End OIDC Settings
        Options +ExecCGI
        AddHandler fcgid-script fcgi
    </Location>

ServerName crm.dummy.com
SSLCertificateFile /etc/letsencrypt/live/crm.dummy.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/crm.dummy.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Do you have a URL that you want Logout.html to go to? In which case the thread you referenced mentioned the possibility of a callback that you could use to inject that URL into the logout process. Did that not work for you for some reason?

I have it, I don’t know how to inject the callback url ?

I have just now tested with the following configuration in a file named “SSO.pm” in the directiory “/opt/rt5/etc/RT_SiteConfig.d” where I have “RT_SiteConfig.pm” but it’s not working

Set($WebRemoteUserAuth, 1);
Set($WebFallbackToRTLogin, 1); # Not neccessary but I like this
Set($WebRemoteUserContinuous, 1); # also not neccessary, this is the default
Set($WebRemoteUserAutocreate, 1);
#Set($LogoutURL, "https://dummy.b2clogin.com/dummy.onmicrosoft.com/oauth2/v2.0/logout?p=B2C_1A_SIGNUP_SIGNIN&prompt=login&post_logout_redirect_uri=https://crm.dummy.com");
Set($ModifyLoginRedirect, "https://dummy.b2clogin.com/dummy.onmicrosoft.com/oauth2/v2.0/logout?p=B2C_1A_SIGNUP_SIGNIN&prompt=login&post_logout_redirect_uri=https://crm.dummy.com");

One update: In a separate tab, if I open the following link: user is getting logged from RT as well

https://dummy.b2clogin.com/dummy.onmicrosoft.com/oauth2/v2.0/logout?p=B2C_1A_SIGNUP_SIGNIN&prompt=login&post_logout_redirect_uri=https://crm.dummy.com

I tried by creating custom callback, even then it’s not working. Anyone, can guide me how to solve this please ?

Thank you

I don’t do Azure Oauth2 for logins here so I’m shooting in the dark a bit, but looking at our RT 5.x there appears to be a config option called LogoutRefresh which is the number of seconds to wait on the NoAuth/Logout.html page before refreshing back to the login (which in your case is autologging you back in). So you could try setting that config option to a huge number of seconds - 31536000 for example will wait a year before refreshing to the login page.

Otherwise if you post what you’ve written for your local callback we can see if we can spot anything.

Actually, looking at the code in Elements/Header you might be able to set that LogoutRefresh to 0 and turn it off completely (maybe - worth a shot though!).

Thank you @GreenJimll for your reply. Yes, I have tried setting LogoutRefresh to 5 mins then I am getting logged out of RT and I am staying in that page for that time period.

Let me post what I have written in the local callback below:

In the following folder, I have created afile with no extension “ModifyLoginRedirect”
/opt/rt5/local/html/dummy-callbacks/NoAuth/Logout.html

$URL => "https://dummy.b2clogin.com/dummy.onmicrosoft.com/oauth2/v2.0/logout?p=B2C_1A_SIGNUP_SIGNIN&prompt=login&post_logout_redirect_uri=https://crm.dummy.com"
<%ARGS>
$URL => undef
</%ARGS>
<%INIT>
my $URL = "https://dummy.b2clogin.com/dummy.onmicrosoft.com/oauth2/v2.0/logout?p=B2C_1A_SIGNUP_SIGNIN&prompt=login&post_logout_redirect_uri=https://crm.dummy.com";
</%INIT>

Probably, I should rename this topic title to “Not able to logout of Azure AD for B2C” after configuring OAuth2 in RT5 as I am able to logout of RT properly, but not able to logout out of parent session which is belonging to “Azure AD for B2C”.

Note: I have tried switching from Azure AD for B2C to Auth0, even I am not able to logout of Auth0 which is getting logged out only after closing the incognito window.

After Azure AD for B2C, we should invoke logout URL of the same to invalidate the parent session so I am struggling to understand how to properly the logout URL
which is in this case is the following link “https://dummy.b2clogin.com/dummy.onmicrosoft.com/oauth2/v2.0/logout?p=B2C_1A_SIGNUP_SIGNIN&post_logout_redirect_uri=https://crm.dummy.com” and we should set the HTTP Referrer too

ok, I will try this, but you know, even if it doesn’t get redirected to login page, if user click on login button, it will automatically login without asking user to enter credentials as it’s parent session which is coming from Azure AD for B2C is still valid and not expired. In this case, user will not be able to logout from Azure AD for B2C from any of the client applications.

Ah, the URL in the callback is a reference to a variable, not the variable itself. And you don’t want to hide the argument variable with a locally my scoped version in the INIT routine. So you probably want something more like:

<%ARGS>
  $URL => undef
</%ARGS>
<%INIT>
  $$URL = "https://dummy.b2clogin.com/dummy.onmicrosoft.com/oauth2/v2.0/logout?p=B2C_1A_SIGNUP_SIGNIN&prompt=login&post_logout_redirect_uri=https://crm.dummy.com";
</%INIT>