Problem statement
We have some issues with your app.
- user logs into one Shopify site and is immediately logged into a second site
- log out of one site does NOT automatically log the user out of the second site
How to log out of the second site automatically?
Troubleshooting
- check the network tab to see what Auth0-related calls were made from the application
- check if the application is periodically making a Silent Auth request to Auth0 to check on the session status of the user
- without Silent Auth, site 1 and site 2 aren’t aware of changes being made to a user’s session. I.e. you can log out of site 1 but not site 2 since it doesn’t check Auth0, assumes the user still has a valid session, and keeps them logged in.
Cause
Site 2 still has its local session that is not impacted by logging out of the site 1 session, so it doesn’t consider the user has logged out. It does not check with Auth0 when opening the site as it still has this local session.
Therefore, Auth0 is never called by site 2, but if it did, Auth0 would prompt the user to log in again as the Auth0 session has been terminated.
Solution
Shopify either needs to support a multi-store logout endpoint you can call to terminate all of your store’s local sessions and which will also call the Auth0 logout endpoint to end the Auth0 session.
Or, Shopify needs to support a silent authentication attempt to Auth0 (an ./authorize request with the “prompt=none” query string parameter) on page load or after a period of time has elapsed. This would allow a site to check if the user still has a valid Auth0 session without disrupting the user and update its local session appropriately based on the result - i.e. terminate the local session if Auth0 returns a “login_required” error or allow the user to continue using the store if it is successful.