Fixes to signout

Fixes to readme about guest account
OnRedirectToIdentityProviderForSignOut code merged in AddMsal() as Add Msal() was overwriting the earlier delegate

Author: Kalyan Krishna

2-WebApp-graph-user/2-2-TokenCache/README.md

@@ -18,7 +18,7 @@ Starting from a .NET Core 2.2 MVC Web app that uses OpenID Connect to sign in us
 
 It leverages the ASP.NET Core OpenID Connect middleware and Microsoft Authentication Library for .NET (MSAL.NET). The complexities of the library's integration with the ASP.NET Core dependency Injection patterns is encapsultated into the `Microsoft.Identity.Web` library project, which is a part of this tutorial.
 
-![Sign in with the Microsoft identity platform for developers (fomerly Azure AD v2.0)](ReadmeFiles/sign-in.png)
+![Sign in with the Microsoft identity platform for developers (formerly Azure AD v2.0)](ReadmeFiles/sign-in.png)
 
 ## How to run this sample
 

5-WebApp-AuthZ/5-1-Roles/README.md

@@ -41,7 +41,7 @@ This sample application defines the following two *Application Roles*:
 
 These application roles are defined in the [Azure portal](https://portal.azure.com) in the application's registration manifest.  When a user signs into the application, Azure AD emits a `roles` claim for each role that the user has been granted individually to the user in the from of role membership.  Assignment of users and groups to roles can be done through the portal's UI, or programmatically using the [Microsoft Graph](https://graph.microsoft.com) and [Azure AD PowerShell](https://docs.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0).  In this sample, application role management is done through the Azure portal or using PowerShell.
 
-NOTE: Role claims are not currently emitted for guest users in a tenant
+NOTE: Role claims will not be present for guest users in a tenant if the `/common` endpoint is used as the authority.
 
 ![Sign in with the Microsoft identity platform for developers (formerly Azure AD v2.0)](ReadmeFiles/sign-in.png)
 

Microsoft.Identity.Web/Client/TokenAcquisition.cs

@@ -255,8 +255,7 @@ public async Task RemoveAccount(RedirectContext context)
                 account = accounts.FirstOrDefault(a => a.Username == user.GetLoginHint());
             }
 
- //           this.AppTokenCacheProvider?.Clear();
-            this.UserTokenCacheProvider?.Clear();
+             this.UserTokenCacheProvider?.Clear();
 
             await app.RemoveAsync(account);
         }

Microsoft.Identity.Web/StartupHelpers.cs

@@ -7,6 +7,7 @@
 using Microsoft.Identity.Web.Resource;
 using Microsoft.IdentityModel.Protocols.OpenIdConnect;
 using System.Collections.Generic;
+using System.Diagnostics;
 using System.Threading.Tasks;
 
 namespace Microsoft.Identity.Web
@@ -51,17 +52,6 @@ public static IServiceCollection AddAzureAdV2Authentication(this IServiceCollect
                 // and [Access Tokens](https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens)
                 options.TokenValidationParameters.NameClaimType = "preferred_username";
 
-                // Handling the sign-out: removing the account from MSAL.NET cache
-                options.Events.OnRedirectToIdentityProviderForSignOut = async context =>
-                {
-                    var user = context.HttpContext.User;
-
-                    // Avoid displaying the select account dialog
-                    context.ProtocolMessage.LoginHint = user.GetLoginHint();
-                    context.ProtocolMessage.DomainHint = user.GetDomainHint();
-                    await Task.FromResult(0);
-                };
-
                 // Avoids having users being presented the select account dialog when they are already signed-in
                 // for instance when going through incremental consent
                 options.Events.OnRedirectToIdentityProvider = context =>
@@ -72,7 +62,7 @@ public static IServiceCollection AddAzureAdV2Authentication(this IServiceCollect
                         context.ProtocolMessage.LoginHint = login;
                         context.ProtocolMessage.DomainHint = context.Properties.GetParameter<string>(OpenIdConnectParameterNames.DomainHint);
 
-                        // delete the loginhint and domainHint from the Properties when we are done otherwise
+                        // delete the login_hint and domainHint from the Properties when we are done otherwise
                         // it will take up extra space in the cookie.
                         context.Properties.Parameters.Remove(OpenIdConnectParameterNames.LoginHint);
                         context.Properties.Parameters.Remove(OpenIdConnectParameterNames.DomainHint);
@@ -87,7 +77,7 @@ public static IServiceCollection AddAzureAdV2Authentication(this IServiceCollect
 
                     return Task.FromResult(0);
                 };
-                
+
                 // If you want to debug, or just understand the OpenIdConnect events, just
                 // uncomment the following line of code
                 // OpenIdConnectMiddlewareDiagnostics.Subscribe(options.Events);
@@ -140,6 +130,12 @@ public static IServiceCollection AddMsal(this IServiceCollection services, IEnum
                     // Remove the account from MSAL.NET token cache
                     var _tokenAcquisition = context.HttpContext.RequestServices.GetRequiredService<ITokenAcquisition>();
                     await _tokenAcquisition.RemoveAccount(context);
+
+                    var user = context.HttpContext.User;
+
+                    // Avoid displaying the select account dialog
+                    context.ProtocolMessage.LoginHint = user.GetLoginHint();
+                    context.ProtocolMessage.DomainHint = user.GetDomainHint();
                 };
             });
             return services;