Hi,
I’m trying to logout of my app. I handle the SPA application level stuff and delete the state/cookie/localStorage/etc…
Then I try to logout at Auth0 level and although there’s no error and the redirection works, I can still make backend requests (for example using Postman) using the old token that should have been destroyed during logout. I can also request the /userinfo API after logout, and it still returns a successful response, which is not what I would expect after a logout.
I checked in the Auth0 dashboard and it does record the Success Logout in my user history which is confusing since everything still works as if I was logged in.
Here’s what I tried:
Using the logout() method from the auth0-js SDK:
auth0.logout({
returnTo: 'http://my.domain',
client_id: 'my.client.id',
});
And I tried using a GET request, directly from within my front end code (on my localhost, this request only works if I add the mode=“no-cors” to my fetch).
fetch('https://YOUR_DOMAIN/v2/logout?client_id=CLIENT_ID&returnTo=RETURN_URL', {
method: 'GET',
mode: 'no-cors',
headers: {},
})
Should these methods destroy the token or not?
Thanks