Log type 'flo' and its triggers

Problem statement

We want to understand the log event type “flo” (Failed Logout) for Auth0 tenants.
What are the triggers for this event code? And are they triggered by malicious actors or threats?

Solution

The log type ‘flo’ means failed logout. It can be triggered by

  • Malformed client_id
  • client_id for federated clients trying to access non-authority tenants
  • post_logout_redirect_uris for the client not being set to an array
  • client_id supplied doesn’t exist
  • return_to URL is invalid
  • return_to URL is not specified in Allowed Logout URLs

They are related to the misconfiguration of logout URIs. We wouldn’t log a flo for something like bot detection or other tools that we have to detect malicious actors. But we would log flo if a malicious actor attempts a logout and does something to trigger one of the conditions above (e.g. trying to redirect to a URL that isn’t in the allow list).