Problem statement
We have a current workflow for authentication :
- User access application
- User is redirected to the Auth0 sign-in page
- User authenticates to Custom Database (session cookie created)
- User is redirected by Action to an external Custom MFA page
- In some case, the MFA is not successful → the MFA page redirect to Auth0 /continue URL so that Action can verify the session token and invalidate it (it works)
The problem is the last step simply blocks the authentication part using api.access.deny()
, but this doesn’t clear the session cookie. If we try to authenticate again, we will skip the login/password page and get directly redirected to MFA pages.
How can we clear the Auth0 session cookie inside Action?
Solution
You can do something like this:
const returnTo = event.client.client_id; api.redirect.sendUserTo(`https://{{auth0_domain}}/v2/logout?client_id=${returnTo}`);
In this case, the Action will redirect to the first Allowed Logout URL configured in the Application you use to perform the login flow.