Last Updated: Nov 25, 2024
Overview
When the user logs out, the React SDK logs them out but initiates silent authentication. The next time the user accesses the application, they are not prompted to log in, and the auth code is exchanged. When the silent authentication fails, the user is prompted to log in the next time they access the app.
This article clarifies why the SDK is triggering a silent authentication and whether this can be suppressed.
Applies To
- React SDK
- Silent Authentication
Cause
The issue was due to a race condition incurred by the logout page requiring authentication, so a ‘/authorize’ request was sent simultaneously with the logout request. In the event of a logout request initiated after an ‘/authorize’ request but completes before the ‘/authorize’ request itself completes, the logout request will have no impact on the user’s session.
Solution
A logout is best carried out with a button, and if using a separate route/page, it should not be protected (i.e., public) on the application. Otherwise, the application may try to check if the user has a session by making a ‘/authorize’ call while attempting to log the user out.
Auth0 recommends using the React SDK quickstart and sample application for guidance on implementing a public logout page. These also show how to avoid making unnecessary calls to the /authorize endpoint and allow the logout to complete reliably.