Federated Logout for Custom Social Connection

rueben.tiow · February 23, 2024, 6:11pm

Problem statement

This article explains how to single log out of both tenants when using the Custom Social connection to connect to the Auth0 tenant.

Steps to reproduce

Connect two Auth0 tenants (main and IdP) via Custom Social connection. Try to log out by passing the ?federated parameter.

Cause

By default, the ?federated parameter will not work, as the getLogoutUrl script is not defined. There should be a script added via the Management API.

Solution

Please see the sample script that will call the logout endpoint of the IDP tenant and return it to the main tenant:

function getLogoutUrl(params, callback) {
    let mainTenantHost = `https://yourtenant-idp.us.auth0.com`;
    let mainTenantAppId = `appIdinYourMainTenant`;
    let thisTenantHost = `https://yourtenant.us.auth0.com`;
    let mainTenantLogout = `${mainTenantHost}/logout`;
    if (params.query.returnTo && params.query.client_id) {
        let returnToApplication = encodeURIComponent(params.query.returnTo);
        let returnToThisTenant = `${thisTenantHost}/logout?client_id=${params.query.client_id}%26returnTo=${returnToApplication}`;
        mainTenantLogout = `${mainTenantLogout}?client_id=${mainTenantAppId}&returnTo=${returnToThisTenant}`;
    }
    callback(null, mainTenantLogout);
}

Sample Payload to send to the PATCH /api/v2/connections/{id} endpoint:

{
  "options": {
    "scope": "openid email profile",
    "scripts": {
      "getLogoutUrl": "function getLogoutUrl(params, callback) { let mainTenantHost = `https://yourtenant-idp.us.auth0.com`; let mainTenantAppId = `appIdinYourMainTenant`; let thisTenantHost = `https://yourtenant.us.auth0.com`; let mainTenantLogout = `${mainTenantHost}/logout`; if (params.query.returnTo && params.query.client_id) { let returnToApplication = encodeURIComponent(params.query.returnTo); let returnToThisTenant = `${thisTenantHost}/logout?client_id=${params.query.client_id}%26returnTo=${returnToApplication}`; mainTenantLogout = `${mainTenantLogout}?client_id=${mainTenantAppId}&returnTo=${returnToThisTenant}`; } callback(null, mainTenantLogout); }",
      "fetchUserProfile": "fetchUserProfileScriptHere"
    },
    "tokenURL": "https://yourIdpDomain/oauth/token"",
    "client_id": "someClientId",
    "authorizationURL": "https://yourIdpDomain/authorize""
  }
}

Related References

There is not much reference, but here is what is available:

Topic		Replies	Views
Users are not logged out of custom social connection with Office365 Knowledge Articles url , log-out , federated	1	1098	May 9, 2023
Custom IDP logout endpoint doesn't get called as part of federated logout Help logout , auth0 , social-connections , openidconnect , idp	2	4211	August 26, 2019
Connection Options in Management API Help	2	4815	June 4, 2019
Custom Social Connection - Federated Logout Help custom-social-connec	4	5279	February 1, 2019
Redirect to custom logout page after federated logout Help logout , sessions	2	665	January 4, 2024