We are using Auth0 with Angular-based SPA. The problem we are facing is that logout is working in 95% of the cases, while in remaining 5% of cases Auth0 session is not cleared after navigating to /v2/logout.
“Good” workflow (happens in 95% of cases):
- User clicks “logout” button
- Code: logout handler clears local session
- Code: logout handler calls
this.auth0Service.logout({returnTo})(whereauth0Serviceis an instance ofAuthServicefrom@auth0/auth0-angularnpm package). - User follows redirect to
/v2/logout→returnTo - User clicks “login”, and follows redirects
/authorize→/loginand is challenged for credentials
“Bad” workflow (happens in 95% of cases):
- User clicks “logout” button
- Code: logout handler clears local session
- Code: logout handler calls
this.auth0Service.logout({returnTo}) - User follows redirect to
/v2/logout→returnTo - User clicks “login”, and follows redirects
/authorize, but then authorize endpoint finds an existing Auth0 session, and therefore skips redirect to/login, and redirects the user straight toreturnUrlwith authorization code
Notes:
The only difference that we were able to pinpoint between “good” and “bad” flows is that in “bad” case /v2/logout endpoint besides sending a 302 redirect sets a cookie __cf_bm. While in “good” case no cookie is set by logout endpoint.
Some service headers from one example “bad” /v2/logout request:
x-auth0-requestid: 19c4ce702956f26d98a2ot-baggage-auth0-request-id: 757e104d8c3b7549ot-tracer-sampled: trueot-tracer-spanid: 5a9def305893c4baot-tracer-traceid: 6da89b985f9dbef5traceparent: 00-5a9def305893c4ba-00000000000000006da89b985f9dbef5-01tracestate: auth0-request-id=757e104d8c3b7549,auth0=true