Inconsistent Social Login/Logout Behavior

mcsdev · June 3, 2020, 8:19pm

I have had Google login enabled for some time as I develop a small project. Upon logout, calling https://AUTH0_DOMAIN/v2/logout everything works as expected, cookies and storage are cleared.

Upon login, calling https://AUTH0_DOMAIN/authorize?response_type=code&audience=audience&client_id=$client_id&redirect_uri=redirect_uri/api/auth/callback&scope=openid%20profile%20email%20&state=state&nonce=nonce everything works as expected, the user is taken to the Auth0 login, chooses Google and proceeds to select an account.

Today, without changing any other settings, I enabled GitHub and Twitter login and attempted to verify they were working correctly. Both login fine, however, there seems to be an issue after logout. They use the same code as Google login but once either GitHub or Twitter login has been used once, clicking ‘login’ will always skip the option to choose the identity provider and proceed to login with the last used provider.

The only way to get out of this state is to remove the created user from the Auth0 Dashboard. If this is not done, clicking ‘login’ will automatically log the user in with the identity provider selected previously. This behavior persists even if all application is cleared before doing so, leading me to believe something is not working as expected on the Auth0 side.

I have tried some of the solutions posted on this forum, including using a redirectTo and client_ud in the /logout path, neither of these actually seem to be respected and intermittently return different status codes, 400 and 404.

Expected Flow (working with Google login):

Click ‘login’
Redirected to Auth0 lock page
Social provider selected
Authenticate with a social provider
Redirect back to the application
Logout (calling the Auth0 /logout endpoint)
Repeat

Current flow (with GitHub and Twitter):

Click ‘login’
Redirected to Auth0 lock page
Social provider selected
Authenticate with a social provider
Redirect back to the application
Logout (calling the Auth0 /logout endpoint)
Click ‘login’
- Auth0 proceeds to use the previously chosen social provider
- After a while, user is redirected back to the application with authentication complete

I’m a little lost as to where the problem could be here and would appreciate any guidance and input.

andy.carter · June 5, 2020, 3:54pm

Hi @mcsdev , welcome to the community!

As part of the logout process from your application, are you clearing any sessions which you are using to track users that have logged into your application? If not already being done, this needs to be done as well as calling the Auth0 logout endpoint:

dan.woda · June 8, 2020, 3:59pm

Hi @mcsdev,

How are you handling logout in this scenario? Can you post the code that calls the logout endpoint?

Thanks,
Dan

mcsdev · June 8, 2020, 7:04pm

Hey, Dan!

    await fetch("/api/auth/logout");
    // remove cookies
    // redirect
  };

And /api/auth/logout:

export default async (req, res) => {
  const logout = await fetch(`https://${process.env.AUTH0_DOMAIN}/v2/logout`);
  const cookieOptions = (http = false) => {
    return {
      httpOnly: http,
      path: "/",
      secure: process.env.NODE_ENV === "production",
      maxAge: Date.now(),
      sameSite: true,
    };
  };
  res.setHeader(
    "Set-Cookie",
    cookie.serialize("access_token", "", cookieOptions(true))
  );
  res.end();
};

dan.woda · June 8, 2020, 8:36pm

Are you getting an error back when you call that? I didn’t see the logout request happening in the HAR you gave our team. I also tried the steps you provided and could not recreate the bug. Everything was functioning normally.

mcsdev · June 8, 2020, 11:01pm

Hey Dan, no errors, just a 202 response!

dan.woda · June 9, 2020, 3:34pm

When I hit the logout endpoint I get a 200 response. I am wondering if you can send me another HAR in a DM.

dan.woda · June 23, 2020, 7:34pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.