Problem statement
We’re using a SPA. When the user logs out, the SDK logs the user out but initiates a silent authentication. When users access the application the next time, they are not prompted for a login, and the auth code is exchanged.
If the Silent authentication fails, the users are prompted to log in the next time to access the app.
Why is the SDK triggering a silent authentication? And can we suppress it?
Symptom
Logout does not terminate the user’s session.
/authorize call seen on the page loads simultaneously with the logout request.
React SDK or potentially a similar SPA based SDK in use.
Troubleshooting
For React, check if the application is using a different page/route to trigger logout, if it uses withAuthenticationRequired, or if you are somehow triggering authentication on page load when you are also trying to trigger the logout.
Cause:
The issue was due to a race condition incurred by the logout page requiring authentication, so an /authorize request was being sent simultaneously with the logout request. If a logout request is initiated after an /authorize request and completes before the /authorize request completes, the logout will have no impact on the user’s session.
Solution
A logout is best carried out with a button (https://your_domain/v2/logout?client_id=YOUR_CLIENT_ID&returnTo=LOGOUT_URL). Otherwise, the application may try to check if the user has a session by making an /authorize call at the same time it attempts to log the user out. If a logout request is initiated after an /authorize request and completes before the /authorize request itself completes, the logout will have no impact on the user’s session.
We suggest you check React SDK quickstart and the sample application for guidance on how to implement a public logout page and avoid making unnecessary calls to the /authorize endpoint and allow the logout to complete reliably.