Logging out with a connection from another auth0 tenant (auth0-oidc)

Hey team!

My organization has 2 tenants, one for our staff and one for our users.
We have a mobile app that has a login screen with 2 separate buttons.
One is for the user login and one is for the staff login.

Our staff tenant has been setup as a connection to the user tenant per instructions in this link:
https://auth0.com/docs/connections/social/auth0-oidc

The reason we have setup the staff tenant as a connection for our user tenant is because our AWS AppSync has OIDC Authorization with the Issuer URL set as our user tenant.

Our mobile application uses web auth with a hosted UI. Everything works as intended when our users login and logout. The problem that has arisen is logging out from our staff tenant connection.

When a staff member logs out and is taken to the login screen, if they hit the staff login button they are automatically taken back into the app with their previous login (they don’t have the option to login as another staff member).

The above behaviour happens when I am logging out on the user tenant. If I set the logout to be on the staff tenant the following behaviour happens.

Staff logs out and is taken to the login screen, and now have the option to login as another staff member. However, if they try to login as a user, once again the login screen is bypassed and they are taken in the app and have a user session with the staff login.

When I login to https://manage.auth0.com and look at the logs, I see that the logout is successful on each tenant, but for some reason I can’t completely logout of both tenants.

Expected Behaviour:
I should be able to invoke a logout on the user tenant, and that should force a logout of the connection too.

Can someone from auth0 please investigate this?

Cheers
Nayan

Hi Nayan.
For some connection types, you can request a “federated” logout, where Auth0 will clear the session on the Auth0 tenant and also send a logout request the identity provider responsible for the connection (which, in this case, is the other Auth0 tenant).
However, the auth0-oidc connection type does not support federated logouts at this moment. I’d encourage you to leave a feature request at Auth0: Secure access for everyone. But not just anyone. to request federated logout support for the auth0-oidc connection type.

As a workaround, you can:

  • Send two separated logout requests when the user is a staff member. You’ll have to manage redirections accordingly, so that you first do one logout and then redirect to the other logout endpoint.
  • When requesting an authentication, use prompt=login to force Auth0 to prompt the user, even if the user is already logged in.