I am using
react-native-auth0 and auth0.webAuth.authorize() to access the hosted login pages for both social (Google, Facebook) and passwordless. Login works great. Calling the logout endpoint from the same embedded browser as authorize() does not logout the user from the identity provider, i.e. the next time around when user tried to login, they are not prompted for an username/password. I have managed to solve the issue for Google by calling the google logout url
https://accounts.google.com/Logout from the embedded browser.
Facebook is a bit more complicated. To logout of the Facebook IdP the client needs access to the IdP access_token. As documented in Logout the URL to call is
https://pandd.auth0.com/v2/logou...om&access_token=[facebook access_token]. However on the Call an Identity Provider API page auth0 advices against passing the IdP access token to the client
Security Warning! Make sure that you don’t expose the IdP access token to your client-side application.
So, should we or should we not use the Facebook IdP access_token at the client to logout?