Our app is configured to first prompt a user for email and password, then the organization. Everything seems to work. When the user wants to log off from our app, we use the useAuth0 React hook to fetch the access token, id token hint, and call the oidc logout url. We also clear any local storage entries (where our info auth0 goodies are stored) with the name “@@auth0…” in them. Our app then redirects to an Auth0 route, which in turn redirects back to our app to start the login process again. When THAT happens, the user is only prompted to perform their 2nd-factor identification (email, sms, passkey, etc) but not to enter their username, password, or organization. How can I configure/change my app to do so?
Hi @capndave,
I have checked your tenant logs and did not find any log out events. Because of this, I’m unsure if the user was logged out correctly.
Have you ensured that you called the logout URL like the following example:
https://{yourDomain}/oidc/logout?id_token_hint={yourIdToken}&post_logout_redirect_uri={yourCallbackUrl}
I have confirmed that you enabled RP-Initiated Logout End Session Endpoint Discovery option in your tenant advanced settings.
It might be worth opening your network activity to be certain that the logout request is happening. And you could also try the /v2/logout endpoint.
Thanks,
Rueben
My request does look like your example. I’m worried that perhaps the id_token_hint I’m sending is wrong, even though the request redirects the user. Is the below code correct for extracting the id_token_hint using the useAuth0 hook in React? Should I be passing the _raw value, the entire id_token object, or something else?
const idTokenHint = (await auth0.getIdTokenClaims()).__raw;
1 Like
@rueben.tiow I was making an http call to that endpoint rather than redirecting to it! Everything seems to be working now. For anyone else looking at this, you can do this easily with the logout method from the useAuth0 hook
1 Like
Hi @capndave,
Thanks for the follow-up and I’m glad it’s working now! 
Yes, that is correct. Calling the getIdTokenClaims method allows you to retrieve the raw ID token by accessing it through the __raw property. By calling await auth0.getIdTokenClaims(), you can access the ID token and extract it to use as the id_token_hint.
You could also verify this by taking the ID token and decoding it in jwt.io. And that’s correct, the logout method from the useAuth0 hook will accomplish the same.
Let us know if there’s anything else we can do to help.
Cheers,
Rueben