In order to sign out a user, an application that is secured using Azure AD B2C needs to make a logout request to the B2C service. As part of this request, a URL needs to be specified that the user will be redirected to once Azure AD B2C completes the sign out request. For extra security, customers have requested a way to restrict the set of URL's that the users can be redirected to post logout. To enable this, we now allow an ID token to be passed in as a parameter in the sign out request as per recommendation of the OIDC specifications. This will allow Azure AD B2C to determine the application the user signed into, and ensure that the redirect URL is one of the allowed URL's specified during the application registration.
Passing in an id token is optional. However, because the ID token is a parameter recommended by the specifications, a good number of OIDC client implementations already include it in logout requests. If it is not added as part of the logout request, the user will be redirected to the specified URL regardless of the URLs that have been allowed. If you would like to enforce the presence of the id token parameter, go to the Token Configuration settings in your policy. Here you will find a new option, highlighted in the screenshot below, that can be used to enable the enforcement. To ensure that we don’t impact any existing customers, we have made the option disabled by default.
For users of custom policy, this can be enabled directly in policy using the newly added EnforceIdTokenHintOnLogout boolean attribute of the SingleSignOn element. If not specified, the default behaviour is not to enforce the presence of the ID token due to backward compatibility reasons.