Affected module
Auth / Azure AD SSO
Describe the bug
When enableAutoRedirect: true is configured and a user explicitly clicks Logout, they are immediately re-authenticated and logged back in. The logout appears to succeed (app state clears, user reaches/signin) but auto-redirect fires instantly, silently re-authenticating via Azure AD. It is impossible to stay logged out while the Azure AD session is active.
Steps to reproduce
-
Configure OpenMetadata with Azure AD SSO and enableAutoRedirect: true
-
Click user avatar - Logout
-
Open OpenMetadata - user is silently auto-logged in (expected)
-
Observe: redirected to /signin, then immediately auto-redirected back and logged in again
-
Loop repeats indefinitely- user cannot log out
Why PR #26327 does NOT fix this
PR #26327 changed logoutRedirect() to pass account, logouthint, and updated postLogoutRedirecturi. This fix assumes the MSAL client-side accounts cache is populated. It is not, when using server-side OIDC (Pac4j/backend auth).
In a standard OpenMetadata Azure AD deployment, login happens entirely on the server side via Pac4j. The browser never calls instance.loginRedirect() or instance.loginPopup(). As a result, the MSAL PublicClientApplication instance has zero cached accounts-accounts array is always empty and useAccount() returns null.
// MsalAuthenticator.tsx
const { instance, accounts, inProgress) useMsal();
const account = useAccount (accounts[0] || {}); // always null
const logout async () > (
awit instance.logoutRedirect({
account: account ?? accounts[0], // undefined
logoutHint: (account ?? accounts[0])?.username, // undefined
postLogoutRedirectüri: globalThis.location.origin+ ROUTES.SIGNIN,
When account is undefined, logoutRedirect() silently fails-MSAL has no session to terminate, no request is sent to Azure AD's end_session_endpoint, and the Azure AD session remains fully active. When the user lands on /signin, enableAutoRedirect fires Azure silently re-authenticates (no login prompt since session is still live), and the user is back in. The two separate problems that both need fixing:
Problem 1- AsalAuthenticator.tsx: logoutRedirect() does nothing because accounts is always empty in server-side OIDC deployments. The Azure AD session is never actually terminated. Problem 2- SignInPage.tax: shouldAutoRedirect has no way to distinguish a fresh visit from a post-logout redirect. Even if the IdP logout were fixed, this logic would still re-login the user if they ever land on /signin while unauthenticated with Azure AD session active.
// current - fires on every unauthenticated visit including post- logout
Const shouldAutoRedirect =
authConfig?.enableAutoRedirect &&
!isAuthProviderBasic &&
!isAuthenticated &&
Boolean(onLoginHandler);
To Reproduce
Setup :
- Open metadata configured with azure ad sso
- EnableAutoRedirect : true in auth settings
- Prompt left blank/empty/none
- meta data is launched from another azure ad external web app that shares same azure ad account(or directly where azure ad sessio. Is active )
Steps -
-
Open OM url in browser- user is silent auto logged in without seeing login prompt
-
In dev tools - application - session storage - confirm on explicit logout key does not exist
-
Dev tools - console - confirm accounts from MSAL is an empty array
-
Click logout
-
Observe - om clears state and redirect to /signin
-
Within 1-2 sec /signin auto redirect again and user is back inside OM, logged in
-
Repeat steps 4-6 user is unable to log out
Expected behavior
Suppress om auto redirect only, azure session untouched.
Azure ad session alive - internal app launching meta data stays active (both apps - meta data and internal app are in same azure ad account)
Om clears its own app state
The om explicit logout flag blocks om from auto redirecting back in on that tab
New tab or new launch from internal app state- flag is absent- auto redirecting works.
Version:
- OM version : 1.12.3
- Auth : Azure AD/Entra ID
- Auth mode : server side oidc via pac4j (not client side MSAL)
- enabledAutoRedirect : true
- prompt : ""/none
- MSAL accounts array : always empty
Additional context
For deployments where open meta is launched from another azure ad app and only open meta logout is desired.
No request to login.microsoftonline.com/*/oauth2/v2.0/logout - MSAL logout redirect () silently did nothing
Immediately followed by authorize?max age =3600 - enable auto redirecting fired and azure ad silent re authentication user
Affected module
Auth / Azure AD SSO
Describe the bug
When enableAutoRedirect: true is configured and a user explicitly clicks Logout, they are immediately re-authenticated and logged back in. The logout appears to succeed (app state clears, user reaches/signin) but auto-redirect fires instantly, silently re-authenticating via Azure AD. It is impossible to stay logged out while the Azure AD session is active.
Steps to reproduce
Configure OpenMetadata with Azure AD SSO and enableAutoRedirect: true
Click user avatar - Logout
Open OpenMetadata - user is silently auto-logged in (expected)
Observe: redirected to /signin, then immediately auto-redirected back and logged in again
Loop repeats indefinitely- user cannot log out
Why PR #26327 does NOT fix this
PR #26327 changed logoutRedirect() to pass account, logouthint, and updated postLogoutRedirecturi. This fix assumes the MSAL client-side accounts cache is populated. It is not, when using server-side OIDC (Pac4j/backend auth).
In a standard OpenMetadata Azure AD deployment, login happens entirely on the server side via Pac4j. The browser never calls instance.loginRedirect() or instance.loginPopup(). As a result, the MSAL PublicClientApplication instance has zero cached accounts-accounts array is always empty and useAccount() returns null.
// MsalAuthenticator.tsx
const { instance, accounts, inProgress) useMsal();
const account = useAccount (accounts[0] || {}); // always null
const logout async () > (
awit instance.logoutRedirect({
account: account ?? accounts[0], // undefined
logoutHint: (account ?? accounts[0])?.username, // undefined
postLogoutRedirectüri: globalThis.location.origin+ ROUTES.SIGNIN,
When account is undefined, logoutRedirect() silently fails-MSAL has no session to terminate, no request is sent to Azure AD's end_session_endpoint, and the Azure AD session remains fully active. When the user lands on /signin, enableAutoRedirect fires Azure silently re-authenticates (no login prompt since session is still live), and the user is back in. The two separate problems that both need fixing:
Problem 1- AsalAuthenticator.tsx: logoutRedirect() does nothing because accounts is always empty in server-side OIDC deployments. The Azure AD session is never actually terminated. Problem 2- SignInPage.tax: shouldAutoRedirect has no way to distinguish a fresh visit from a post-logout redirect. Even if the IdP logout were fixed, this logic would still re-login the user if they ever land on /signin while unauthenticated with Azure AD session active.
// current - fires on every unauthenticated visit including post- logout
Const shouldAutoRedirect =
authConfig?.enableAutoRedirect &&
!isAuthProviderBasic &&
!isAuthenticated &&
Boolean(onLoginHandler);
To Reproduce
Setup :
Steps -
Open OM url in browser- user is silent auto logged in without seeing login prompt
In dev tools - application - session storage - confirm on explicit logout key does not exist
Dev tools - console - confirm accounts from MSAL is an empty array
Click logout
Observe - om clears state and redirect to /signin
Within 1-2 sec /signin auto redirect again and user is back inside OM, logged in
Repeat steps 4-6 user is unable to log out
Expected behavior
Suppress om auto redirect only, azure session untouched.
Azure ad session alive - internal app launching meta data stays active (both apps - meta data and internal app are in same azure ad account)
Om clears its own app state
The om explicit logout flag blocks om from auto redirecting back in on that tab
New tab or new launch from internal app state- flag is absent- auto redirecting works.
Version:
Additional context
For deployments where open meta is launched from another azure ad app and only open meta logout is desired.
No request to login.microsoftonline.com/*/oauth2/v2.0/logout - MSAL logout redirect () silently did nothing
Immediately followed by authorize?max age =3600 - enable auto redirecting fired and azure ad silent re authentication user