Local Logout is logging back in on page refresh

I’m using auth0-react 1.9.0

In my main index.js I have:

Additionally, I have a script in App.js that runs getAccessTokenSilently when the app first loads.

  const getToken = async () => {
    try {
      await getAccessTokenSilently()
    } catch (e) {
      console.log(e)
    }
  }

  useEffect(() => {
    getToken()
  }, [])

My login button is using onClick={() => loginWithPopup()} which I understand uses HTML5 web messaging.

My logout button is running with onClick={() => logout({ localOnly: true })} because I’m running in a chrome extension that might be running on any page domain, so I cannot do a sensible redirect. It’s also important for the user flow that they can stay on their current page.

Problem:

When I logout and refresh the page, getAccessTokenSilently gets a new token and logs me back in.

How?! I can see that the localstorage (but not cookies) are cleared by logout(), but even when I delete the cookies manually, a refresh still causes getAccessTokenSilently to function. Where is any user information being stored?

Also note:

  • If I comment out getAccessTokenSilently, then it does not get logged back in.
  • If I do this in incognito mode, then it does not get logged back in.

Of course I can simply remove getAccessTokenSilently from firing immediately, but I want to understand how getAccessTokenSilently is even working at all, as it seems like a security risk.