Auth0 Home Blog Docs

Implementing single logout

logout
aspnet-core

#1

I have two applications:

  1. A jQuery based application(spa client)
  2. ASP.NET Core based application (regular web app client)

I’m trying to implement single logout between the two apps. I couldn’t find how to implement it from the ASP.NET Core side. Is there any available code example or document regarding this?


#2

Depending on how the user authenticates in Auth0, an authenticated session is established at Auth0. For example, if both applications redirect the user to the Auth0 hosted login page then authenticating in either will generate the session.

This session can be leveraged to provide a SSO experience across both applications and can also be used as means to signal that the user has logout. More specifically, assuming that the user is already authenticated in both applications and clicks the logout button in one of them.

The application reacting to the user logout action should call the logout endpoint in Auth0 in order for the user session at Auth0 to be terminated.

In addition both application when a user is authenticated can perform a polling request to Auth0 to check for the existence of an active user session. If this request succeeds then the user has not logout from any application. If this request fails then it likely indicates the user performed a logout operation from another application and the current application can automatically react to that and also clean the local session.

The request that checks for the active session can be implemented through a silent authentication procedure. Have in mind that you should use an acceptable frequency for these types of requests so this does not provide real-time logout. Also, the above is applicable for application making use of OAuth2/OIDC.

For SAML-based application you might want to check the SAML logout related documentation.


#3

Hi,
Thanks for you reply that’s clear :slight_smile:
You say that "The request that checks for the active session can be implemented through a silent authentication procedure. Have in mind that you should use an acceptable frequency for these types of requests so this does not provide real-time logout. ". What would be in your mind “an acceptable frequency” ? Is 2 minutes an acceptable frequency for example ?

Thanks,


#4