Problem statement
We have a current workflow for authentication :
- User access application
- User is redirected to the Auth0 sign-in page
- User authenticates to Custom Database (session cookie created)
- User is redirected by Action to an external Custom MFA page
- In some case, the MFA is not successful → the MFA page redirect to Auth0 /continue URL so that Action can verify the session token and invalidate it (it works)
The problem is the last step simply blocks the authentication part using api.access.deny(), but this doesn’t clear the session cookie. If we try to authenticate again, we will skip the login/password page and get directly redirected to MFA pages.
How can we clear the Auth0 session cookie inside Action?
Solution
You can do something like this:
const returnTo = event.client.client_id; api.redirect.sendUserTo(`https://{{auth0_domain}}/v2/logout?client_id=${returnTo}`);
In this case, the Action will redirect to the first Allowed Logout URL configured in the Application you use to perform the login flow.