The logout function from the Auth0 JavaScript SPA SDK redirects to the /v2/logout Auth0 endpoint, but I need to use the OIDC endpoint /oidc/logout instead so I can access the ‘state’ paramater, which as far as I can tell the Auth0 endpoint does not support.
After doing some research, I can see this is a known limitation of the SDK judging from other posts I’ve found on the topic:
I’ve been able to implement a workaround by manually redirecting to the OIDC endpoint, rather than using the SDK’s logout function like so:
However, I’m wary this may cause issues especially around error catching / caching performed by the SDK. Is there anything else the SDK logout function is doing under the hood I would need to replicate, or is there a safer approach for achieving state passthrough behaviour that’s recommended?
The risk you identified is accurate since if you perform a manual redirect without calling the SDK’s logout method, you bypass the local cleanup process. This leaves “zombie” tokens in storage and keeps the auth0.is.authenticated cookie active, which can cause your app to think the user is still logged in when they return.
The safest approach is to use the openUrl option within the auth0Client.logout() method, defined and exampled in the Interface LogoutOptions of the Auth0-Spa-Js SDK. This is a built-in extension point specifically designed for this scenario.
When you use this function, the SDK performs its essential “under the hood” tasks first: it wipes the internal cache, clears local storage, and resets the session cookies. Once that cleanup is complete, the SDK executes your openUrl callback instead of performing its own redirect.
Because openUrl intercepts the navigation, the SDK stops and waits for you to handle the final step, so you should construct your OidcURL using your state and the id_token_hint (accessible via getIdTokenClaims().__raw), then call window.location.replace() inside that callback to manually trigger the move to your OIDC endpoint.
This ensures your application state remains clean and secure while successfully passing your custom state through the OIDC flow.
Thank you and if you have further questions please let me know!
Best regards,
Remus