PublicClientApplication.logout should be able to log the user out without interaction

[k-mehta]

Library

• msal@1.x.x or @azure/msal@1.x.x
• @azure/msal-browser@2.12.1
• @azure/msal-node@1.x.x
• @azure/msal-react@1.x.x
• @azure/msal-angular@0.x.x
• @azure/msal-angular@1.x.x
• @azure/msal-angular@2.x.x
• @azure/msal-angularjs@1.x.x

Description

When the logout function is called, the user is redirected to a page which asks them to select which account they want to log out of. They have to make a selection even if they're only logged in to one account. I tried giving the logout function an EndSessionRequest object with the account parameter populated but that doesn't bypass the account selection either. It'd be a cleaner user experience if the user didn't have to take this seemingly unnecessary extra step.

Source

    const logoutRequest: EndSessionRequest = { account };
    await msalApplication.current.logout(logoutRequest);

• Internal (Microsoft)
• Customer request

[tnorling]

@k-mehta The account object you provide to the logout function is used to clear local cache, it is not used to tell the server who to sign out. In order to sign the user out on the server the redirect to the sign-out screen is required. Without this redirect your user could sign back into your application without providing credentials again as their server session would remain active. There is currently no way to bypass the account selection screen and this is not something MSAL controls. We've heard this feedback before and we've passed it along to the server team but it's ultimately their decision whether or not they'll pick it up.

If you don't care about signing the user out of the server you can pass a callback that returns false to onRedirectNavigate on the logout request. This will skip the redirect to the server but will leave the server session active.

Documentation around this will be updated in #3044 to clarify why this is required and the workaround described above.