Device Flow Logout

oem · November 27, 2024, 10:10pm

I am developing a Python CLI application that uses the Auth0 OAuth2 device flow to login a user and get tokens. I have successfully implemented the flow and am able to login users and receive tokens.

How can I logout a user (from Auth0)? I have tried making requests to the /oidc/logout endpoint and providing the id_token for id_token_hint and the client_id.

The response returns 200 OK with an html page that says “You have successfully logged out.”

The user’s logs (history) do NOT show a “Success Logout” event.

I can see a “Success Logout” event in the tenant’s logs:

{
  "date": "2024-11-27T21:54:14.647Z",
  "type": "slo",
  "connection_id": "",
  "client_name": "myclient",
  "ip": "myip",
  "user_agent": "Other 0.0.0 / Other 0.0.0",
  "details": {
    "allowed_logout_url": []
  },
  "hostname": "myhostname.us.auth0.com",
  "user_id": "",
  "user_name": "",
  "$event_schema": {
    "version": "1.0.0"
  },
  "log_id": "900202411272154146723423423423401223372061527155712",
  "tenant_name": "mytenantname",
  "_id": "90020241134234234234000000001223372061527155712",
  "isMobile": false,
  "originalData": ...,
  "integrityRuleset": {},
  "id": "900202411272154143423423472061527155712",
  "description": "User successfully logged out"
}

As you see, there is no user_id or other user data associated with this log out.

I assume this is because the id_token that I receive from the device flow does NOT include an SID (session id), and so it can’t be used to look up and end the users’s session?

At any rate, using the /oidc/logout route only seems to work inside a browser.

The result is that the user is actually not logged out from the Auth0 session, and subsequent login attempts bypass the login screen without choosing a login method.

What is the correct way to approach logout for a CLI application that does not interact with the browser? How do I log the user out of their Auth0 session programatically?

dawid.matuszczyk · November 29, 2024, 6:46pm

Hi @oem

Welcome back to the Auth0 Community!

Thank you for posting your question. In the Device Login Flow, there is no session on the application level (on the device). The only way to logout device is to unlink it from the user → Device Authorization Flow. You can read more about session layers and logout here → Session Layers

Thanks
Dawid

oem · December 2, 2024, 8:00pm

@dawid.matuszczyk thank you for your reply.

For clarification, when you say “there is no session on the application level (on the device)”, do you mean there is no Auth0 session? (as shown in this diagram from an Auth0 blog post)

In my Auth0 dashboard, when a user logs in using a device flow I see the following in the User Management → Users section (for the given user logging in):

History tab:

Success Login
Success Exchange

Devices tab:

A device gets added

At this point, what is the correct approach to “Log out” the user. The desired outcome is that after logging out, the next time they try to log in, they will be given the option to select login (social) provider etc.

Currently as I am understanding it, what I want to do is log the user out of their Auth0 session.

system · December 16, 2024, 8:00pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Trouble terminating Auth0 user session Help logout , sessions	9	1639	November 3, 2023
Tenant Log for Successful Logout Has No User Information Knowledge Articles userinfo , missing-logs	1	672	October 26, 2023
Logout from all devices Help logout	7	4709	April 29, 2021
Log out of multiple devices Help	6	4879	September 2, 2019
Best practice for successful logout (ios) for multiple users on a single device Help	2	3124	July 24, 2019

Device Flow Logout

Related topics