Clear session at application level after Auth0 logout

gaurang.delavadiya · January 22, 2020, 8:19am

I have created 2 application using flask and use Auth0 for SSO. In that after login i store user info in flask session.When i click on logout that time it will clear that session and redirect to Auth0 logout url.

Now, my question is when i click on logout from one application than that will clear session at application level. How can i clear session to other application which is on different domain or is there any thing in Auth0 to notify my all application when i logout?

Here is logout code:

@app.route(‘/logout’)
def logout():
session.clear()
params = {‘returnTo’: url_for(‘login’, _external=True), ‘client_id’: AUTH0_CLIENT_ID}
return redirect(AUTH0_BASE_URL + ‘/v2/logout?’ + urlencode(params))

simpleauthority · January 22, 2020, 5:06pm

You’re looking for single logout. You’re halfway there.

Read the second section.

gaurang.delavadiya · January 23, 2020, 4:00am

I have read that but my question is " Is there anything from auth0 to tell my all applications when logout occurs from one application? "

simpleauthority · January 23, 2020, 4:02am

Hi, no.

As per that page:

Redirecting users to the logout endpoint does not cover the scenario where users need to be signed out of all of the applications they used. If you need to provide this functionality you will have to handle this in one of two ways:

Have short timeouts on your local session and redirect to Auth0 at short intervals to re-authenticate. NOTE: this can be done by calling checkSession from the client which does this redirect in a hidden iFrame. If you take the hidden iFrame approach you need to be aware of rate limits and third-party cookie issues.

Handle this entirely at the application level by providing your applications a way to notify all other applications when a logout occurs.

gaurang.delavadiya · January 23, 2020, 4:11am

Ok, so as per the documentation i have to manage by my own right?

So can you please tell me how can i achieve that?

Thanks,
simpleauthority

simpleauthority · January 23, 2020, 4:16am

Well, like the page says you can periodically redirect to auth0’s authorize endpoint to ensure a session is still active. The auth0 client has a checkSession method which does this for you. If you don’t use the official client, then just do it manually by redirecting yourself.

The other option described on the page is to use some sort of messaging system. Redis comes to mind, but there are other options. If you chose Redis, you would want to set up pub-sub (publish-subscribe) messaging. When a user logs out, publish their user id with a message of “logout” or something. On other applications, receive this and then reset the local state so they are “logged out”.

The second option is more complex. Redirecting to the authorize endpoint is probably the easier option, and potentially the smarter option but I am not informed about your architecture so that is a decision you need to make yourself.

In any case, the gist is that you need to sync auth state. Either you can do that yourself, or you can delegate to auth0 to tell you.

gaurang.delavadiya · January 23, 2020, 4:26am

It’s help full

Thank you,
simpleauthority

konrad.sopala · January 23, 2020, 9:20am

Glad you have it working now!

system · February 7, 2020, 9:20am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.