How to force a log out in a NextJS application?

Hello, I am trying to make the user log out after having updated their password.
I have a NextJS app and have followed the quickstart guide, so my “/app/api/auth/[auth0]/route.ts” page is set up like so:

import { handleAuth,handleProfile,handleLogin, handleLogout } from '@auth0/nextjs-auth0';

const logoutUrl = [
    `${process.env.AUTH0_ISSUER_BASE_URL}/v2/logout?`,
    `client_id=${process.env.AUTH0_CLIENT_ID}`,
    `&returnTo=${process.env.AUTH0_BASE_URL}`,
  ];

export const GET = handleAuth({
    profile: handleProfile({ refetch: true }),
    login: handleLogin({ authorizationParams: {}}),
    logout: handleLogout({returnTo: logoutUrl.join('')}),
    signup: handleLogin({
        authorizationParams: {
          screen_hint: "signup"
        }})
}
);

The only way to log out which seems to be working at the moment is by clicking on a link which calls the /api/auth/logout endpoint:

<Link prefetch={false} href={'/api/auth/logout'}>
                        Log out
</Link>

Everything else I’ve tried fails. I need to do it without the user clicking on this link. The user has clicked on a button to save their new password and the log out action needs to be called after that programmatically.

I’ve tried using the Auth0-JS library and this didn’t work:

webAuth.logout({
  returnTo: 'some url here',
  clientID: 'some client ID here'
});

I tried making a fetch request to a route handler too inside the app:

import { revalidatePath } from 'next/cache'
import {redirect} from 'next/navigation';

export async function GET(req: Request) {
    const domain = process.env.AUTH0_ISSUER_BASE_URL;
    const clientId = process.env.AUTH0_CLIENT_ID;
    const returnTo = process.env.AUTH0_BASE_URL;

    const logoutUrl = `${domain}/v2/logout?client_id=${clientId}&returnTo=${encodeURIComponent(returnTo!)}`;

    revalidatePath(returnTo!);
    redirect(logoutUrl);
  }

The user stays logged in still. I also tried redirecting to the link “https://${DOMAIN}/oidc/logout?post_logout_redirect_uri=${process.env.AUTH0_BASE_UR L}&client_id=${CLIENT_ID}”
after following this guide:
Log Users Out of Auth0 with OIDC Endpoint

Can someone point me in the right direction as to why only the call to the handleLogout handler from the quickstart setup seems to be logging the user out? Only a link seems to be able to activate it.

Thanks in advance!

Hi @dimitar10000,

I have just tested the password reset flow and confirmed that changing passwords invalidates the user’s session. As a result, I was prompted to re-enter my credentials to log in again. This is also mentioned in this documentation

Are you not experiencing this behavior?

Thanks,
Rueben