We have the following setup:
- a Keycloak instance hosted on a VM
- a B2C tenant with a Custom OpenID Connect provider configured for the Keycloak instance
- an application using msal to communicate with B2C
The login flow works as expected:
- when a user accesses our application, the user gets redirected to B2C
- then B2C redirects the user to the Keycloak login screen
- after successful authentication, the user gets redirected back to B2C for MFA
- then the user gets redirected back to our application with both an ID and an Access Token
The problem we are facing is with the logout flow:
- when the user clicks to logout in our application, the user gets correctly redirected to https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/logout
- then B2C loads the end_session_endpoint of Keycloak (https://{keycloak_domain}/realms/{realm}/protocol/openid-connect/logout) in an iframe and redirects back to our application
This flow does not end the user’s session in Keycloak as the logout page requires the user to click a button to logout. By loading the page in an iframe and redirecting back to the application, the Keycloak logout page is never displayed to the user and the session is never terminated.
Do you have any suggestions how can we solve this issue?