When using Blazor's IdentityComponentsEndpointRouteBuilderExtensions.cs logout method:
accountGroup.MapPost("/Logout", async ( ClaimsPrincipal user, SignInManager<ApplicationUser> signInManager, [FromForm] string returnUrl) => { await signInManager.SignOutAsync(); return TypedResults.LocalRedirect($"~/{returnUrl}"); });It does sign the user out of the application (cookies are destroyed), but when logging back in and selecting the same external provider (in my case MS Entra Id), no password is required.
This means anyone can re-log in using the previous email address and external provider with no password required.
I have tried this with other providers, like GitHub and Google and the same situation applies. You can authenticate via the external provider, but never un-authenticate.
Somehow, somewhere there has to be a callback to the external provider to remove the external app credentials.