Express-openid-connect isAuthenticated not working properly when logout

Help
,
1

I am using express-openid-connect library to login via SSO and i’m experiencing a weird behavir

This function is called to login and check req.oidc.isAuthenticated() - if it is false, it connects into my SAML connector, which works perfectly and then later in the console.log, i can see that “authenticated: req.oidc.isAuthenticated()” logs true

router.get('/auth0sso/:org_acronym', async (req, res) => {
  const orgAcronym = req.params.org_acronym
  try {
    const auth0Connector = await ssoApp.getSSOFlow({
      ssoConnection: SSOConnection.AUTH0,
      orgAcronym,
    })

    if (!auth0Connector) {
      throw new TraytError('error').setCode(4113)
    }

    if (!req.oidc.isAuthenticated()) {
      return res.oidc.login({
        authorizationParams: {
          connection: auth0Connector,
        },
      })
    }

    if (!req.oidc?.accessToken?.access_token) {
      throw new TraytError('error').setCode(4107)
    }

    const { redirectUrl, azp } = await ssoAppv2.verifyAuth0Token({
      accessToken: req.oidc.accessToken.access_token,
      clientId: req.query.client_id,
    })
    console.log({
      authenticated: req.oidc.isAuthenticated(),
    })
    const user = req.oidc.user
    const email = user?.email

    res.redirect(`${redirectUrl}?code=${azp}&email=${email}`)
  } catch (error) {
    processError(res, error)
  }
})

Then, i finish my login and reach my logged webpage.
When i try to logout, i call the following function

router.post('/logout', authenticateLogoutRequest, async (req, res) => {
  try {
    console.log({
      auth2: req.oidc.isAuthenticated(),
    })
    await usersApp.logoutUser({
      userId: req.user.userId,
      deviceId: req.user.deviceId,
      accessToken: req.accessToken,
    })
    if (req.oidc.isAuthenticated()) {
      return res.oidc.logout()
    }
  } catch (err) {
    processError(res, err)
  }
})

But when i log auth2, it returns false and i dont have idea why. This cause me an issue where i never is able to logout the user (as i never can see the logout log in auth0 portal in user tab, just the log in)

2

Hi @rafael4

Thank you for posting your inquiry on the Auth0 Community!

I believe that your application does not delete the user cookies upon logout even after all the parameters have been set correctly according to our OIDC logout documentation.

You can attempt to delete all the user cookies as a potential workaround as follows:

/* LOGOUT ROUTER */
router.get('/logout', (req, res) => {
  req.logout();
  if (req.session) {
    req.session.destroy(function (err) {
      if (err) {
        console.log(err)
      }
      console.log("Destroyed the user session on Auth0 endpoint");
      res.redirect('https://<myapp>.auth0.com/v2/logout?client_id=<clientId>&returnTo=http://localhost:3000/');
    });
  }
});

Please keep in mind that the returnTo address is also under the Allowed Logout URLs.

You can read more about terminating an user’s session for OIDC in this Knowledge Article