According to OIDC specification then id_token is recommended to be passed when logging users out for security purpose. But the related Auth0 url does not require having it. Anybody knows the reasons behind?
8. Security Considerations
The OP iframe MUST enforce that the caller has the same origin as its parent frame. It MUST reject postMessage requests from any other source origin, to prevent cross-site scripting attacks.
The id_token_hint parameter to a logout request can be used to determine which RP initiated the logout request. Logout requests without a valid id_token_hint value are a potential means of denial of service; therefore, OPs may want to require explicit user confirmation before acting upon them.