Problem statement
We want to understand the log event type “flo” (Failed Logout) for Auth0 tenants.
What are the triggers for this event code? And are they triggered by malicious actors or threats?
Solution
The log type ‘flo’ means failed logout. It can be triggered by
- Malformed
client_id
-
client_id
for federated clients trying to access non-authority tenants -
post_logout_redirect_uris
for the client not being set to an array -
client_id
supplied doesn’t exist -
return_to
URL is invalid -
return_to
URL is not specified in Allowed Logout URLs
They are related to the misconfiguration of logout URIs. We wouldn’t log a flo
for something like bot detection or other tools that we have to detect malicious actors. But we would log flo
if a malicious actor attempts a logout and does something to trigger one of the conditions above (e.g. trying to redirect to a URL that isn’t in the allow list).