Auto Logging Me In

I’m using the PHP SDK and all the code is working - so far so good!.
I logged in with a Google account - which worked, so then I thought I’d try to sign in with using an email address and password - which also worked.

Now when I click on my login link I get auto logged in using the email address and password I last registered with. I was expecting to see the Auth0 login screen, which would then allow me to switch to another account.

When logging out I use $auth0->logout() and I’ve checked there nothing left in the session.

How can I disable this feature - is seems like a bit of a security issue as on a shared computer all someone needs to do is click on the login link.

Hello @auth02,

Make sure you are completing all the steps required to fully log the user out. In particular, you need to log out of any social providers, like Google.

1 Like

I have the same issue with iOS. I am already calling:

        Auth0
        .webAuth()
        .clearSession(federated:true){
            callback($0)
        }

but I still don’t get logged out of Google. Any suggestions? (i’ve tried federated:false also).

1 Like

@mahboud Welcome to Auth0 Community.

Are you by any chance using Auth0 developer keys? Check the dev keys limitations with social identifiers here Test Social Connections with Auth0 Developer Keys

Federated Logout does not work. When using the Auth0 developer keys, calling /v2/logout?federated will sign the user out of Auth0, but not out of the Social Identity Provider.

I’m not exactly sure where these dev keys are located and how to use my own keys. When I created the app, I got a domain that I can’t seem to change now. Is that where the dev keys come from?

1 Like

Those are the Client ID and Client Secret of your Google Social connection. By default Auth0 will populate those with auth0 developer keys so you are ready to test the connection. However you should register your own google app as described here https://auth0.com/docs/connections/social/google#1-set-up-your-app-in-google Once you do that you will have your own set of Client ID and Secret that is specific to your own google app instead of Auth0.

Hope that helps.

2 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.