Problem statement
When the user logs out, the React SDK logs the user out but initiates a silent authentication. The next time the user accesses the application, they are not prompted for login, and the auth code is exchanged.
Why is the SDK triggering a silent authentication? Can this be suppressed?
Note: When the silent authentication fails, the user is prompted to log in the next time they access the app.
Symptom
- Logout seemingly does not terminate user’s session
- /authorize call seen on page load simultaneously with logout request
Troubleshooting
For the React SDK, check if the application is using a different page/route to trigger the logout, which uses withAuthenticationRequired. Alternatively, this could happen if the application is triggering authentication on page load while also triggering the logout.
Cause
The issue was due to a race condition incurred by the logout page requiring authentication, so a ‘/authorize’ request was being sent simultaneously with the logout request. In the event that a logout request is initiated after a ‘/authorize’ request, but completes before the ‘/authorize’ request itself completes, the logout request will have no impact on the user’s session.
Solution
A logout is best carried out with a button, and if using a separate route/page should not be protected (i.e., public) on the application. Otherwise, the application may try to check if the user has a session by making a ‘/authorize’ call at the same time it attempts to log the user out.
Auth0 recommends that the React SDK quickstart and sample application should be used for guidance on how to implement a public logout page, which also shows how to avoid making unnecessary calls to the /authorize endpoint and allow the logout to complete reliably.