MyChart Post-consent OAuth redirect broken — SAML SLO drops passback parameter
13 views
Skip to first unread message
Jessica Salinas
May 15, 2026, 12:12:05 PM (9 days ago) May 15
to SMART on FHIR
Hello,
Has anyone seen a regression with a B2C-federated MyChart instance recently? After a patient clicks "Allow" on a third-party consent screen, they're redirected to the MyChart login page instead of back to the app — the OAuth callback never fires.
The redirect chain shows that `postlogoutmode=oauthredirect` — the signal MyChart uses to complete the OAuth redirect after logout — is present going into the SAML SLO round-trip to the B2C tenant but dropped on the return leg:
/mychart/Authentication/Saml/Logout?passBack=true&postlogoutmode=oauthredirect
→ 302 https://<tenant>.b2clogin.com/.../<policy>/samlp/sso/logout?SAMLRequest=...
→ 302 /mychart/Authentication/Saml/Logout ← postlogoutmode gone
→ 302 /mychart/Authentication/Login ← OAuth context lost
No changes on the third-party app side during this window.
A few questions:
1. Has anyone else hit this with a B2C-federated MyChart instance recently?
2. Is `postlogoutmode` typically carried via SAML `RelayState`, and is it a known issue that B2C may not echo it back?
3. Any tips on getting a health system's integration team to act on a B2C policy issue?
Thanks
Has anyone seen a regression with a B2C-federated MyChart instance recently? After a patient clicks "Allow" on a third-party consent screen, they're redirected to the MyChart login page instead of back to the app — the OAuth callback never fires.
The redirect chain shows that `postlogoutmode=oauthredirect` — the signal MyChart uses to complete the OAuth redirect after logout — is present going into the SAML SLO round-trip to the B2C tenant but dropped on the return leg:
/mychart/Authentication/Saml/Logout?passBack=true&postlogoutmode=oauthredirect
→ 302 https://<tenant>.b2clogin.com/.../<policy>/samlp/sso/logout?SAMLRequest=...
→ 302 /mychart/Authentication/Saml/Logout ← postlogoutmode gone
→ 302 /mychart/Authentication/Login ← OAuth context lost
No changes on the third-party app side during this window.
A few questions:
1. Has anyone else hit this with a B2C-federated MyChart instance recently?
2. Is `postlogoutmode` typically carried via SAML `RelayState`, and is it a known issue that B2C may not echo it back?
3. Any tips on getting a health system's integration team to act on a B2C policy issue?
Thanks
Reply all
Reply to author
Forward
0 new messages