Federated Logout for Custom Social Connection

Problem statement

This article explains how to single log out of both tenants when using the Custom Social connection to connect to the Auth0 tenant.

Steps to reproduce

Connect two Auth0 tenants (main and IdP) via Custom Social connection. Try to log out by passing the ?federated parameter.

Cause

By default, the ?federated parameter will not work, as the getLogoutUrl script is not defined. There should be a script added via the Management API.

Solution

Please see the sample script that will call the logout endpoint of the IDP tenant and return it to the main tenant:

function getLogoutUrl(params, callback) {
    let mainTenantHost = `https://yourtenant-idp.us.auth0.com`;
    let mainTenantAppId = `appIdinYourMainTenant`;
    let thisTenantHost = `https://yourtenant.us.auth0.com`;
    let mainTenantLogout = `${mainTenantHost}/logout`;
    if (params.query.returnTo && params.query.client_id) {
        let returnToApplication = encodeURIComponent(params.query.returnTo);
        let returnToThisTenant = `${thisTenantHost}/logout?client_id=${params.query.client_id}%26returnTo=${returnToApplication}`;
        mainTenantLogout = `${mainTenantLogout}?client_id=${mainTenantAppId}&returnTo=${returnToThisTenant}`;
    }
    callback(null, mainTenantLogout);
}

Sample Payload to send to the PATCH /api/v2/connections/{id} endpoint:

{
  "options": {
    "scope": "openid email profile",
    "scripts": {
      "getLogoutUrl": "function getLogoutUrl(params, callback) { let mainTenantHost = `https://yourtenant-idp.us.auth0.com`; let mainTenantAppId = `appIdinYourMainTenant`; let thisTenantHost = `https://yourtenant.us.auth0.com`; let mainTenantLogout = `${mainTenantHost}/logout`; if (params.query.returnTo && params.query.client_id) { let returnToApplication = encodeURIComponent(params.query.returnTo); let returnToThisTenant = `${thisTenantHost}/logout?client_id=${params.query.client_id}%26returnTo=${returnToApplication}`; mainTenantLogout = `${mainTenantLogout}?client_id=${mainTenantAppId}&returnTo=${returnToThisTenant}`; } callback(null, mainTenantLogout); }",
      "fetchUserProfile": "fetchUserProfileScriptHere"
    },
    "tokenURL": "https://yourIdpDomain/oauth/token"",
    "client_id": "someClientId",
    "authorizationURL": "https://yourIdpDomain/authorize""
  }
}

Related References

There is not much reference, but here is what is available:

• Custom Social Connections - Support for logouts
• Custom Social Connection - Federated Logout