By default, when you sign out of Azure Active Directory when using a Open ID Connect/OAuth2 application, you will be prompted to select a user account to sign out of, even if there is only one user account to select.

To work around this behavior, there are 3 requirements:

Step (1): Add the optional claim for the login_hint

Add the login_hint optional claim to the id token in the App Registration blade

For more information about adding optional claims:

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims

Step (2): Ensure “profile” and “openid” openid connect scopes are in the original sign-in request

If your using the Authorization code flow…

When the sign-in request is sent, make sure both “openid” and “profile” is listed in the scope. For example:

https://login.microsoftonline.com/contoso.onmicrosoft.com/oauth2/v2.0/authorize?response_type=code&client_id=83258bc7-b7fd-4627-ae9b-e3bd5d550572&scope=openid+user.read+profile&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient

During the token endpoint call, when you acquire a access token, an id_token is also returned.

If your using the implicit flow (not recommended)…

https://login.microsoftonline.com/contoso.onmicrosoft.com/oauth2/v2.0/authorize?response_type=id_token&client_id=83258bc7-b7fd-4627-ae9b-e3bd5d550572&scope=openid+user.read+profile&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient

After sign-in, when Azure AD redirects back to your application, the id_token will be returned.

On the returned id_token…

The login_hint claim will be returned in the id_token and will look similar to:

O.CiQ0M2E1NDg4Yy05ZGU2LTQyZTUtYWJkZS0zY2IzNGU4ZjBlZGMSJGFhMDBkMWZhLTUyNjktNGUxYy1iMDZkLTMwODY4Mzc…

Step (3): Logout request

When sending the logout request, pass a logout_hint parameter where login_hint is the value:

https://login.microsoftonline.com/williamfiddes.onmicrosoft.com/oauth2/v2.0/logout?post_logout_redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient&logout_hint=O.CiQ0M2E1NDg4Yy05ZGU2LTQyZTUtYWJkZS0zY2IzNGU4ZjBlZGMSJGFhMDBkMWZhLTUyNjktNGUxYy1iMDZkLTMwODY4Mzc…

More Information

When using MSAL.js, the code will look like this (MSAL.js will auto send the logout_hint if detected when you send a EndSessionRequest with the account)

logout() {
    var account = this.authService.instance.getAllAccounts()[0];
    let logoutRequest:EndSessionRequest = {
      account: account
    };
 
    this.authService.logout(logoutRequest);
  }

When using Microsoft Identity Web or AspNet (Core) OpenIdConnect Authentication

services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>

{

  // Custom code here.
  options.Events.OnRedirectToIdentityProviderForSignOut = (context) =>

  {

    var login_hint = context.HttpContext.User.Claims.Where(c => c.Type == "login_hint").FirstOrDefault();

    if (login_hint != null)

    {

      context.ProtocolMessage.SetParameter("logout_hint", login_hint.Value);

    };

    return Task.FromResult(true);

  };

});

4 Thoughts to “How to logout of an OAuth2 application without getting prompted to select a user”

  1. Steve

    Hi Bill – this was very helpful. Do you know for sure if this is currently supported with the v2 endpoint? I read that this functionality had become unsupported in the v2 endpoint sometime in 2019 and then was supposed to be back earlier this year, but the behavior for me is that the logout_hint option is not being honored. I am trying to do this in C# (older ASP.NET application). I’m trying different values for the logout hint as I’m seeing it spelled differently on different sites, but none seem to work. I am successfully capturing a value for the login_hint from the token at sign in, but adding that to the logout hint at sign out doesn’t seem to make a difference. Logout does redirect me to my redirectUri, but only after prompting me to choose an account. So just wondering if this feature is back to being supported again. If it is, is there something you see I’m missing in my code? Thank you!

        public static void SignOut(HttpContext Context)
        {
          AuthenticationProperties ap = new AuthenticationProperties();
          ap.Dictionary.Add(“RedirectUri”, redirectUri);
          ap.Dictionary.Add(“LogoutHint”, SessionManager.login_hint);
          ap.Dictionary.Add(“logout_hint”, SessionManager.login_hint);
          ap.Dictionary.Add(“logoutHint”, SessionManager.login_hint);

          Context.GetOwinContext().Authentication.SignOut(ap,
            OpenIdConnectAuthenticationDefaults.AuthenticationType,
            CookieAuthenticationDefaults.AuthenticationType);

          Context.Session.Abandon();
        }

    1. Bac Hoang [MSFT]

      Hi Steve – yes this should work for the V2 endpoint. The logout_hint parameter is documented here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#send-a-sign-out-request

  2. […] framework source code is essential; however, articles like this one and blog posts like this one from Bill Fiddes at Microsoft do […]

  3. […] this post by Bill Fiddes shows how to bypass the user selection screen on logout and requires redirecting to this […]

Leave a Comment