Logout Across Multiple Subdomains with auth0-spa-js

Overview

This article details what is the best way to clear the application session layer across all the subdomains when cacheLocation is set to LocalStorage if there is a SPA using auth0-spa-js with multiple subdomains.

It also offers clarifications on the questions below if the following is configured:

const auth0 = await createAuth0Client({
domain: '<AUTH0_DOMAIN>',
client_id: '<AUTH0_CLIENT_ID>',
redirect_uri: '<MY_CALLBACK_URL>',
audience: '<MY_AUDIENCE>',
cookieDomain: '.[myapp.com](http://myapp.com/)',
cacheLocation: 'localstorage'
})
  • Should logout from one.myapp.com have any impact on the tokens in local storage on two.myapp.com (@@auth0spajs@@::<client-id>::<audience>::<scopes>)?
  • Should they be deleted from both subdomains? Or does this have nothing to do with setting cookieDomain to the top-level domain?

Solution

When LocalStorage is used, tokens are stored separately for each subdomain, posing a challenge for clearing tokens across subdomains. Currently, the auth0-spa-js library lacks built-in functionality to manage tokens across subdomains. This task typically falls on the client app, which may require additional logic.

One approach is leveraging client-side techniques like the BroadcastChannel API with cross-origin support or utilizing WebSockets/SSE to trigger token clearing on other subdomains. However, implementing the WebSockets/SSE solution might not be straightforward.

Here, the problem statement is to “Communicating between sub-domains open on different tabs”. If it is solved, then it is possible to clear the tokens set in different sub-domains (inside LocalStorage). Currently, auth0-spa-js does not have any built-in features supporting this.

Setting cookieDomain to .myapp.com has no impact on how the tokens are cleared on the LocalStorage. This option directs the cookie to the main domain instead of the subdomain. When this option is set, Cookie can be shared with other sub-domains seamlessly. Confirm this in Chrome Inspector’s Cookies section by checking the Domain column.