The login flow works correctly for the most part. The only problem I have is when I use the client.logout() the users is indeed logged out, but when I log in again it still has my previous credentials. I use the loginWithPopup() function and I get a pop asking me only to choose the account.
I would expect to have to input my email and password again. I tried cleaning all cookies and local storage and still, this info is kept.
I am using an okta entrepise connection on my login.
I also tried to add to the logout options
logoutParams: {
federated: true,
},
but still with no effect.
Can you please help me on how to effectively log out a user without saving any previous credentials?
This way you have cleared the application layer session (local session), but not Auth0 or the upstream IdP sessions.
This is a correct step on your side (to use the federated logout). Based on my research, now, It’s up to the upstream IdP (Identity Provider) how this will be handled. If I understand correctly, a desired outcome is to terminate sessions on SAML SPs (Service Providers, Auth0 and you SPA app in this case). This is called SLO (Single log out) so that once the user attempts to log in again, a new session has to be established (credentials has to be submitted by user).
On receiving the request, the IdP may or may not do a full SLO flow to any other saml SPs associated with the session (this is entirely up to how the IdP manages sessions and SLO and not related to Auth0 in any way). Eventually, the IdP will return a logout response to Auth0. If the status of this response is “success” then Auth0 terminates the user’s Auth0 session. If the response does not indicate success then the user’s session remains active.
Based on the diagram there, you can inspect the network calls to see more what’s happening when your app calls the /logout endpoint.
While you discover the topic, please let me know any questions that come your way, happy to help!
Thank you for the reply. I can confirm the bug mentioned in the FAQ: While this the correct configuration, there is a known bug in Auth0 that the Auth0 user session will not be terminated (put another way, the SAML SP session at Auth0 will still exist).
What happens on my application is that a GET to /v2/logout with a 302 as described in the graph. After that, there are no other calls, and I think this is the bug here.
I also noticed that the federated parameter is formed like &federated= instead of ?federated without the = as described in the documentation.
I also tried to add max_age:0 to loginWithPopup and createAuth0Client, but with no effect.
Is there any other solution to force reauthentication?
Thank you for sharing your steps. I edited slightly my previous replay (I wrongly assumed you are using OKTA as an upstream IdP).
The bug mentioned in the FAQs refers to the IdP-initiated logout so when a SPA calls directly the upstream IdP logout endpoint (AD FS logout endpoint) which later calls the Auth0 logout endpoint. What happens in your case is your app is calling the Auth0 logout endpoint meaning you are performing the SP-initiated logout.
To further troubleshoot it, while being logged into your SPA, could you paste the /logout URL directly to the browser URL search bar?
https://{yourAuth0domain}/v2/logout?federated returns a 200.
https://{yourAuth0domain}/v2/logout?federated&client_id={yourSPAclientId} returns a 302 and redirects to my app page.
The enable log out toggle seems to be only for SAML connections. I am not using a SAML connection, I am using an okta workforce connection directly on the enterprise connection.
The GitHub repo is unfortunately private, as its part of my company’s code.
After additional investigation I can see that, unforutnatelly, Okta is outside of the list of supported IdP for a federated logout meaning the app session will be invalidated only once a user log out from Okta.
It also looks like Auth0 currently supports single sign out only via SAML.
If you would be open to try it out, I think we can check the steps provided here to see it the behaviour will change (but it loooks like it is still relevant to SAML only):
In your SPA app → Allowed Logout URLs → please set the URL to https://{YourAuth0Domian}/v2/logout
To the browser URL bar please paste the URL (URL encoded): https://{yourDomain}/v2/logout?client_id={yourClientId}&returnTo=https://{YourAuth0Domian}/v2/logout
or
In your SPA app → Allowed Logout URLs → please set the URL to https://{YourAuth0Domian}/oidc/logout
To the browser URL bar please paste the URL (URL encoded): https://{yourDomain}/v2/logout?client_id={yourClientId}&returnTo=https://{YourAuth0Domian}/oidc/logout