Are we supposed to always send a request to auth0.com/logout to logout?

stephenhuh · December 19, 2017, 5:59am

It seems that in the logout docs you’re expected to hit Auth0’s /logout endpoint for any logging out scenario in order to indicate to Auth0 that a user has logged out.

However, it seems that most of the code samples don’t seem to do this, but only handle the application’s logout session. e.g.
Jquery Sample:

  function logout() {
    // Remove tokens and expiry time from localStorage
    localStorage.removeItem('access_token');
    localStorage.removeItem('id_token');
    localStorage.removeItem('expires_at');
    displayButtons();
  }

React sample:

  logout() {
    // Clear access token and ID token from local storage
    localStorage.removeItem('access_token');
    localStorage.removeItem('id_token');
    localStorage.removeItem('expires_at');
    // navigate to the home route
    history.replace('/home');
  }

Are they hitting the endpoint elsewhere? Or should these docs be altered or am I misunderstanding something here.

jmangelo · December 19, 2017, 6:01pm

As the documentation mentions there can be a few layers when it comes to logout so the level at which you want to perform logout needs to be decided on a case-by-case basis. It could be argued that the samples could show how to perform the different possibilities and I would personally agree, however, doing only a client application logout like in the samples you mentioned can still be just what you want in some scenarios.

I think ideally the samples should be explicit about what they are doing and if they only clear the client application session they should state that and then link to the logout documentation for further information; I’ll relay this possibility internally.

In conclusion, technically the answer to your title question is it depends.