Logging out completely

allistair · October 19, 2023, 5:13pm

Hey,

I’ve seen a range of folk raising logout-doesn’t-really-logout, I’d like to try again. Failing this I will raise a ticket on the nextjs-auth0 Github project.

I don’t consider my implementation anything other than standard, that is to say:

Login button with href /api/auth/login?returnTo=/dashboard
Out of the box middleware.ts for protecting /dashboard/*
A logout button with href /api/auth/logout

If I click my Login button, I’ll go to the Auth0 universal login, and get redirected to my /dashboard page, with all the user hooks working. Excellent. I can see a cookie called appSession.

If I click logout, I get taken back to my / login page. I can see the appSession cookie is removed.

BUT

If I tap login, to go to /api/auth/login?returnTo=/dashboard then I am automatically logged into /dashboard, without the Auth0 universal login.

This is challenging, because I am trying to test with many users in development, so I need to be able to properly logout. It’s also IMO a security risk if this happens in production, as if I want to logout my session, someone in a coffee shop should not be able to tap login and expect to be logged in.

One thing that DOES work is overwriting the /api/auth/[auth0]/route.ts as follows:

import { handleAuth, handleLogout } from "@auth0/nextjs-auth0";
import { NextResponse } from "next/server";

// export const GET = handleAuth();

export const GET = handleAuth({
  logout: async (req, res) => {
    return NextResponse.redirect(
      process.env.AUTH0_LOGOUT_OIDC +
        "?post_logout_redirect_uri=" +
        encodeURIComponent(process.env.AUTH0_BASE_URL)
    );
  },
});

This follows the info at Use the OIDC Endpoint to Log Users Out of Auth0, except:

The final logged out screen has no way for the user to get back to the original site loging page
The post_logout_redirect_uri is ignored, despite being described as operational at Use the OIDC Endpoint to Log Users Out of Auth0 and despite my adding it to both Tenant Settings, and my Application Settings - in the allowable Logout URL fields

My questions are:

How are others logging out users using the auth0-nextjs library?
Are others finding that login is not always requires despite calling logout?
Are others using this OIDC approach to logging out at the identity provider side and if so, does post_logout_redirect work?

MarkBoucher72 · October 20, 2023, 4:42pm

I’ve encountered similar logout issues. Many resort to OIDC logout, but it can be inconsistent. Post-logout redirect sometimes doesn’t work as expected. Looking for insights and best practices from others.

dalgonaio · October 20, 2023, 9:32pm

Hey all - for me, I got this fixed by going into my Dashboard > Advanced > Log In Session Management and changed it to nonpersistent and 1 minute each for the other values. Then waiting after logging out for 2 min before clicking login again.

allistair · October 23, 2023, 6:11pm

Hey - that’s not the most usable solution though, as a non-persistent cookie will be removed on closing the browser, requiring a re-login if I close the tab/browser session.

Also, the cookie isn’t the issue here - as I mentioned, the cookie is removed with the /api/auth/logout call, the issue is that some other magic is logging the user back in without logging in if its within a time period of the logout.

For me, logout should mean logout, I don’t understand how this behaviour is useful or secure.

Hence needing this nuisance of needing to use the OIDC logout - suggesting something about the auth0-nextjs library is checking with Auth0 to see if the user is “logged in at the identity side” which needs to be something we can opt out of.

dalton · November 9, 2023, 2:02am

I figured out a solution to this. Here’s what I did.

The reason this isn’t working is because the Auth0 NextJS handleLogout just deletes the cookie set on your AUTH0_BASE_URL, but it doesn’t delete the cookie on your AUTH0_ISSUER_BASE_URL, so when you login after logging out, it redirects to that issuer url, sees a valid auth cookie and signs you right back in.

What I found is Auth0 has a /v2/logout endpoint that deletes the cookie from the issuer url, so if you redirect to that endpoint after the handleLogout it will also remove the cookie from your AUTH0_ISSUER_BASE_URL. Here’s my implementation.

/api/auth/[auth0]/route.ts

import { handleAuth, handleLogin, handleLogout } from '@auth0/nextjs-auth0';

const logoutUrl = [
  `${process.env.AUTH0_ISSUER_BASE_URL}/v2/logout?`,
  `client_id=${process.env.AUTH0_CLIENT_ID}`,
  `&returnTo=${process.env.AUTH0_BASE_URL}`,
];

export const GET = handleAuth({
  logout: handleLogout({ returnTo: logoutUrl.join('') }),
});