Regarding Logout for an ADFS Enterprise connection with a custom post-login flow action:
We use this action to call into our back-end in order to retrieve claims for the user. If the user is not authorized to access out application, the action fails the login by calling api.access.deny("Auth Denied")
.
When this happens, the application calls logout() with the federated flag from the auth0-react SDK, however there is no redirect to the IDP, and the IDP session is not killed.
Our assumption is that because deny() was called, Auth0 has already terminated its session, so it doesn’t bother redirecting to the IDP logout. Unfortunately, because the IDP login happens before the Auth0 login, that session remains active, and when another user tries to log in, Auth0 tries to log in the previous user.
We have tried a manual logout in the post-login action, as depicted in #103002, however due to some formatting of the URL that Auth0 does, we can’t get the ?federated
flag passed in correctly (the best we end up with is a ?federated=
(which doesn’t work).
We’re considering NOT calling the deny()
in the flow, and effectively logging in the user (and generating a token), and relying purely on the application to deny, but I’d prefer if there was no Auth0 token ever present in this use case.