Auth0 session persist after using logout method in front end

Hi,

I’m trying to logout of my app. I handle the SPA application level stuff and delete the state/cookie/localStorage/etc…

Then I try to logout at Auth0 level and although there’s no error and the redirection works, I can still make backend requests (for example using Postman) using the old token that should have been destroyed during logout. I can also request the /userinfo API after logout, and it still returns a successful response, which is not what I would expect after a logout.

I checked in the Auth0 dashboard and it does record the Success Logout in my user history which is confusing since everything still works as if I was logged in.

Here’s what I tried:

Using the logout() method from the auth0-js SDK:

auth0.logout({
  returnTo: 'http://my.domain',
  client_id: 'my.client.id',
});

And I tried using a GET request, directly from within my front end code (on my localhost, this request only works if I add the mode=“no-cors” to my fetch).

fetch('https://YOUR_DOMAIN/v2/logout?client_id=CLIENT_ID&returnTo=RETURN_URL', {
  method: 'GET',
  mode: 'no-cors',
  headers: {},
})

Should these methods destroy the token or not?

Thanks

Hi @plnic

Logging out destroys the session, but not access tokens.
Access tokens cannot be revoked. They are self-contained, enabling verification by the backend without contacting Auth0 (except to get the signature verification keys which don’t change very often and should be cached). Thus there is no way to revoke them.

Make your access tokens shortlived because of this.

John