Device Flow Logout

I am developing a Python CLI application that uses the Auth0 OAuth2 device flow to login a user and get tokens. I have successfully implemented the flow and am able to login users and receive tokens.

How can I logout a user (from Auth0)? I have tried making requests to the /oidc/logout endpoint and providing the id_token for id_token_hint and the client_id.

The response returns 200 OK with an html page that says “You have successfully logged out.”

The user’s logs (history) do NOT show a “Success Logout” event.

I can see a “Success Logout” event in the tenant’s logs:

{
  "date": "2024-11-27T21:54:14.647Z",
  "type": "slo",
  "connection_id": "",
  "client_name": "myclient",
  "ip": "myip",
  "user_agent": "Other 0.0.0 / Other 0.0.0",
  "details": {
    "allowed_logout_url": []
  },
  "hostname": "myhostname.us.auth0.com",
  "user_id": "",
  "user_name": "",
  "$event_schema": {
    "version": "1.0.0"
  },
  "log_id": "900202411272154146723423423423401223372061527155712",
  "tenant_name": "mytenantname",
  "_id": "90020241134234234234000000001223372061527155712",
  "isMobile": false,
  "originalData": ...,
  "integrityRuleset": {},
  "id": "900202411272154143423423472061527155712",
  "description": "User successfully logged out"
}

As you see, there is no user_id or other user data associated with this log out.

I assume this is because the id_token that I receive from the device flow does NOT include an SID (session id), and so it can’t be used to look up and end the users’s session?

At any rate, using the /oidc/logout route only seems to work inside a browser.

The result is that the user is actually not logged out from the Auth0 session, and subsequent login attempts bypass the login screen without choosing a login method.

What is the correct way to approach logout for a CLI application that does not interact with the browser? How do I log the user out of their Auth0 session programatically?

Hi @oem

Welcome back to the Auth0 Community!

Thank you for posting your question. In the Device Login Flow, there is no session on the application level (on the device). The only way to logout device is to unlink it from the user → Device Authorization Flow. You can read more about session layers and logout here → Session Layers

Thanks
Dawid

@dawid.matuszczyk thank you for your reply.

For clarification, when you say “there is no session on the application level (on the device)”, do you mean there is no Auth0 session? (as shown in this diagram from an Auth0 blog post)

In my Auth0 dashboard, when a user logs in using a device flow I see the following in the User Management → Users section (for the given user logging in):

History tab:

  1. Success Login
  2. Success Exchange

Devices tab:

A device gets added

At this point, what is the correct approach to “Log out” the user. The desired outcome is that after logging out, the next time they try to log in, they will be given the option to select login (social) provider etc.

Currently as I am understanding it, what I want to do is log the user out of their Auth0 session.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.