I am having a strange issue. I am using MSAL 2 with an Entra Customer tenant, and users can log in, but cannot log out.
Here's my sample configuration, which I had to change from the original documentation due to a bug where if you are not a global admin, you cannot login.
"AzureAd": {"Authority": "https://55...67.ciamlogin.com/55...67/v2.0","Instance": "https://55...67.ciamlogin.com/55...67/v2.0","Domain": "exampleTenant.onmicrosoft.com","ClientId": "44...56","ClientSecret": "{{omitted}}","ClientCertificates": [ ], // the following is required to handle Continuous Access Evaluation challenges"ClientCapabilities": [ "cp1" ],"CallbackPath": "/signin-oidc" },"DownstreamApi": {"Scopes": "User.ReadBasic.All user.read email" }My DI Registration:
private static void RegisterAuthentication(IServiceCollection services, IConfiguration configuration){ var authenticatedPolicy = new AuthorizationPolicyBuilder() .RequireAuthenticatedUser() .Build(); // <ms_docref_add_msal> IEnumerable<string>? initialScopes = configuration["DownstreamApi:Scopes"]?.Split(''); services.AddMicrosoftIdentityWebAppAuthentication(configuration, "AzureAd") .EnableTokenAcquisitionToCallDownstreamApi(initialScopes) .AddDownstreamApi("DownstreamApi", configuration.GetSection("DownstreamApi")) .AddInMemoryTokenCaches(); // </ms_docref_add_msal> // <ms_docref_add_default_controller_for_sign-in-out> services.AddRazorPages().AddMvcOptions(options => { options.Filters.Add(new AuthorizeFilter(authenticatedPolicy)); //filters omitted for brevity }).AddMicrosoftIdentityUI(); // </ms_docref_add_default_controller_for_sign-in-out> services.AddCascadingAuthenticationState(); services.AddAuthorizationBuilder() //policies omitted for brevity .AddFallbackPolicy(PolicyConstants.MustBeAuthenticated, authenticatedPolicy);}And then, for clarity, here's the app configuration
var app = builder.Build();// Configure the HTTP request pipeline.if (app.Environment.IsDevelopment()){ app.UseWebAssemblyDebugging();}else{ app.UseHsts();}app.UseHttpsRedirection();app.UseStaticFiles();app.UseAntiforgery();app.UseAuthentication();app.UseAuthorization();app.MapRazorComponents<App>() .AddInteractiveServerRenderMode() .AddInteractiveWebAssemblyRenderMode() .AddAdditionalAssemblies(typeof(MyClientApp._Imports).Assembly);app.Run();Then, I have a redirect for unauthenticated users to MicrosoftIdentity/Account/SignIn. This works great. Users are sent to login and come back authenticated with claims.
Now I wanted to add a logout link
<a href="MicrosoftIdentity/Account/SignOut" class="ti-dropdown-item"><i class="ti ti-logout text-lg"></i> Sign Out</a>However, when the redirection happens, MicrosoftIdentity/Account/SignOut throws a 404. I think it's odd that signin works, but signout does not.