JavaScript SDK Calling webAuth.logout does not work

petrgazarov · September 10, 2018, 5:13am

Hi there!

SDK: auth0-js
Version: 9.7.3
Platform: in-browser, latest Chrome
I’m just getting started, the code had not previously worked for me

Here is the HAR file:
localhost.har (21.4 KB)

Having trouble calling the logout endpoint. In some cases, when I call webAuth.logout, it does not log out, but instead redirects to my login callback URL. My app then logs the user back in (i.e. writes token to local storage), which results in a continuous cycle of not being able to logout at all. In other cases, it works as expected. I noticed that it brakes when authentication method is set to Database, and works as expected when it is Google Oauth.

I did not see an obvious difference between requests made when it works and when it doesn’t, but I noticed that in both cases it ignores returnTo parameter that I pass to webAuth.logout.

Here is my client side code:

export default class Auth {
static domain = ;
static clientId = ;

constructor() {
this.login = this.login.bind(this);
this.logout = this.logout.bind(this);
this.handleAuthentication = this.handleAuthentication.bind(this);
}

auth0 = new auth0.WebAuth({
domain: Auth.domain,
clientID: Auth.clientId,
responseType: ‘id_token’,
scope: ‘openid profile email’
});

handleAuthentication(callback) {
this.auth0.parseHash((err, authResult) => {
if (authResult && authResult.idToken) {
Session.setSession(authResult);

    callback();
  } else if (err) {
    throw new Error(err);
  }
});

}

login() {
this.auth0.authorize({
redirectUri: http://localhost:3001${AUTH_LOGIN_CALLBACK_ROUTE}
});
}

signup() {
this.auth0.authorize({
redirectUri: http://localhost:3001${AUTH_SIGNUP_CALLBACK_ROUTE}
});
}

logout() {
Session.clearSession();

this.auth0.logout({
  returnTo: 'http://localhost:3000/',
  clientId: Auth.clientId,
});

}
}

Thanks for your help!

reggie.pangilinan · October 8, 2018, 10:03pm

Hello did you manage solve your issue? I am having the same problem. The logout function in my webapp was just working a few days ago. We did not change anything and now It just stopped working.

tlaak · October 24, 2018, 4:14pm

I’m also having exactly the same issue with this code:

public logout() {
  this.auth0.logout({
    returnTo: 'http://my-return-url',
    client_id: 'my-client-id'
  })

  localStorage.removeItem('access_token')
  localStorage.removeItem('id_token')
  localStorage.removeItem('expires_at')
}

I noticed that you are using clientId and I have been using client_id, but it doesn’t seem to make a difference. TypeScript typings have clientID in the LogoutOptions, but it doesn’t work either:

export interface LogoutOptions {
  clientID?: string;
  returnTo?: string;
  federated?: boolean;
}

tseabrook · November 22, 2018, 3:09am

I too am seeing the same issue.

After my app calls “logout”, in my request logs I see the following:
https://mytenant.auth0.com/v2/logout?client_id=asdf1234&returnTo=https://myapp.com&auth0Client=hjkl6789

It returns a 302 and redirects me to https://myapp.com as expected.

However, when my app loads it then calls auth0.js “renew”, and I see the following network call:
https://mytenant.auth0.com/authorize?client_id=qwer2134&response_type=token%20id_token&redirect_uri=https://myapp.com&scope=openid%20profile%20email&audience=https://myapi.com&prompt=none&connection=Username-Password-Authentication&state=vbnm6789&nonce=xzcv4567&response_mode=web_message&auth0Client=hjkl6789

This returns 200. Since I had just called logout, I would expect it to return a 302 and redirect me to:
https://mytenant.auth0.com/login…

This behavior is intermittent but seems to happen about 50% of the time with one of our tenants.
This behavior is new (this month) and we didn’t see the issue previously.
We’re using auth0-js 9.3.0.

Update: it seems like if I provide client_id and replyTo parameters to https://mytenant.auth0.com/v2/logout then the Auth0 SSO cookie is not cleared despite the Auth0 docs (https://auth0.com/docs/logout#log-out-a-user) saying otherwise.

As a workaround, we’re calling /logout manually (not via Auth0-JS) without any of the query parameters. This seems to be doing the trick so far but we have more testing to do.

The API behavior when the client_id is included seems like a bug on the Auth0 side as it directly contradicts the docs and only started behaving this way recently.

konrad.sopala · August 28, 2019, 12:09pm

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?