Azure AD B2C is not supported by Auth0’s federated logout endpoint. I need to log my users out of B2C when they log out of Auth0 (and my app).
What happens now is the following.
- Jane signs in with Azure B2C - both Auth0 and B2C sessions are valid and stored in the browser.
- Jane logs out of the app - since Auth0 does not support federated logout for B2C (they only support these - Log Users Out of Identity Providers) the B2C session would remain in the browser.
- Ada sits down at the same browser and attempts to login with her B2C account. - Auth0 picks up Jane’s cookie and now Ada is signed in as Jane without having to enter a password.
A way to log out of B2C is by issuing a GET from the browser on the
end_session_endpoint property in the OIDC Discovery Document.
To accomplish this, I need to know if it’s possible to use an Auth0 Action or Rule to
GET the discovery document (Issuer URI field on an Enterprise Connection) and store the property value
end_session_endpoint to metadata (on the org, user, or connection??). Once the
end_session_endpoint is metadata on an Auth0 object I can retrieve it at log out and redirect my users there.