Auth0 Home Blog Docs

JavaScript SDK Calling webAuth.logout does not work

logout

#1

Hi there!

SDK: auth0-js
Version: 9.7.3
Platform: in-browser, latest Chrome
I’m just getting started, the code had not previously worked for me

Here is the HAR file:
localhost.har (21.4 KB)

Having trouble calling the logout endpoint. In some cases, when I call webAuth.logout, it does not log out, but instead redirects to my login callback URL. My app then logs the user back in (i.e. writes token to local storage), which results in a continuous cycle of not being able to logout at all. In other cases, it works as expected. I noticed that it brakes when authentication method is set to Database, and works as expected when it is Google Oauth.

I did not see an obvious difference between requests made when it works and when it doesn’t, but I noticed that in both cases it ignores returnTo parameter that I pass to webAuth.logout.

Here is my client side code:

export default class Auth {
static domain = ;
static clientId = ;

constructor() {
this.login = this.login.bind(this);
this.logout = this.logout.bind(this);
this.handleAuthentication = this.handleAuthentication.bind(this);
}

auth0 = new auth0.WebAuth({
domain: Auth.domain,
clientID: Auth.clientId,
responseType: ‘id_token’,
scope: ‘openid profile email’
});

handleAuthentication(callback) {
this.auth0.parseHash((err, authResult) => {
if (authResult && authResult.idToken) {
Session.setSession(authResult);

    callback();
  } else if (err) {
    throw new Error(err);
  }
});

}

login() {
this.auth0.authorize({
redirectUri: http://localhost:3001${AUTH_LOGIN_CALLBACK_ROUTE}
});
}

signup() {
this.auth0.authorize({
redirectUri: http://localhost:3001${AUTH_SIGNUP_CALLBACK_ROUTE}
});
}

logout() {
Session.clearSession();

this.auth0.logout({
  returnTo: 'http://localhost:3000/',
  clientId: Auth.clientId,
});

}
}

Thanks for your help!


#2

Hello did you manage solve your issue? I am having the same problem. The logout function in my webapp was just working a few days ago. We did not change anything and now It just stopped working.


#3

I’m also having exactly the same issue with this code:

public logout() {
  this.auth0.logout({
    returnTo: 'http://my-return-url',
    client_id: 'my-client-id'
  })

  localStorage.removeItem('access_token')
  localStorage.removeItem('id_token')
  localStorage.removeItem('expires_at')
}

I noticed that you are using clientId and I have been using client_id, but it doesn’t seem to make a difference. TypeScript typings have clientID in the LogoutOptions, but it doesn’t work either:

export interface LogoutOptions {
  clientID?: string;
  returnTo?: string;
  federated?: boolean;
}

#4

I too am seeing the same issue.

After my app calls “logout”, in my request logs I see the following:
https://mytenant.auth0.com/v2/logout?client_id=asdf1234&returnTo=https://myapp.com&auth0Client=hjkl6789

It returns a 302 and redirects me to https://myapp.com as expected.

However, when my app loads it then calls auth0.js “renew”, and I see the following network call:
https://mytenant.auth0.com/authorize?client_id=qwer2134&response_type=token%20id_token&redirect_uri=https://myapp.com&scope=openid%20profile%20email&audience=https://myapi.com&prompt=none&connection=Username-Password-Authentication&state=vbnm6789&nonce=xzcv4567&response_mode=web_message&auth0Client=hjkl6789

This returns 200. Since I had just called logout, I would expect it to return a 302 and redirect me to:
https://mytenant.auth0.com/login

This behavior is intermittent but seems to happen about 50% of the time with one of our tenants.
This behavior is new (this month) and we didn’t see the issue previously.
We’re using auth0-js 9.3.0.

Update: it seems like if I provide client_id and replyTo parameters to https://mytenant.auth0.com/v2/logout then the Auth0 SSO cookie is not cleared despite the Auth0 docs (https://auth0.com/docs/logout#log-out-a-user) saying otherwise.

As a workaround, we’re calling /logout manually (not via Auth0-JS) without any of the query parameters. This seems to be doing the trick so far but we have more testing to do.

The API behavior when the client_id is included seems like a bug on the Auth0 side as it directly contradicts the docs and only started behaving this way recently.