Bot Framework v3: How to properly perform a user signout?

Question

I'm currently using Bot Framework v3 SDK for C#. My issue occurs when I sign a user out, it doesn't clear out the user's login credentials from the pop up window (Note: the pop up window opens up an in-app browser, not my browser). So when my bot prompts the user to sign in again (using a Sign In Card), the login prompt for Microsoft accounts (https://login.microsoftonline.com/common) shows up for a brief second or two before automatically closing. My bot then receives an access token based on the previously signed out user. My testing environments are Microsoft Teams and Bot Emulator.

To sign in, I'm using GetTokenDialog in the Microsoft.Bot.Builder.Dialogs namespace which handles the user sign in and exchanging the authorization token for an access token. This part is working correctly as I'm able to make MS Graph calls with this access token.

To sign out, I'm currently using the Extensions library provided in Microsoft.Bot.Builder.Dialogs namespace.

bool success = await context.SignOutUserAsync(ConnectionName);

where context is a IDialogContext object and ConnectionName is a string of my AAD's OAuth Connection Name.

Using Fiddler, I know that this single code statement makes a HTTP DELETE request to token.botframework.com to delete the token from Azure Bot Service. It returns a boolean value depending on the HTTP response status code and I'm always getting true value. My token is removed from Azure Bot Service but the pop up window for login automatically signs the user based on previous credentials. This leads me to believe that await context.SignOutUserAsync(ConnectionName); doesn't make a logout call to Microsoft Online to graciously log my user out but instead only deletes the token from the Azure Bot Service.

Any documentation and samples I found online makes use of this single code statement to sign out a user. Is there something wrong/missing with what I'm doing? Are there any alternatives to circumvent this issue?

Answer 1

This might be because you are selecting the 'keep me signed in' option.

On the call of SignOutUserAsync(), the token is deleted from Azure. But the user credentials are still cached inside the popup window browser.