First we have a legacy app which uses universal login with default domain - tenant.auth0.com
Then there’s a newer app which uses embedded login and is using a custom domain - login.tenant.com
Both have the same client id configured.
I would like to achieve that no matter which app I use to login, authentication status is shared between the two. And that generally works, however, when signing out from the newer app, you can still get a valid session on the legacy app. Basically I can’t logout from the new app.
Do I need to change the legacy app to use the custom domain as well or am I missing some kind of configuration? Logout urls are configured correctly fyi and I am not getting any kind of error.
Yes, you will have to change the legacy app to use the custom domain for SSO to work across your applications. The sessions are different and not shared between the canonical and custom domains.
In my tests, I found that the sessions are not shared when logging in or logging out between the two domains. But if you are observing this issue only when logging out, it may be worth trying to call the https://login.tenant.com/v2/logout endpoint in conjunction with the https://tenant.auth0.com/v2/logout endpoint to log the user out from both sessions.