Logout user from Auth0 with Express-jwt

oldjoy · February 8, 2019, 12:55pm

So I have set up my authentication flow using the /authorize endpoint:
https://auth0.com/docs/api/authentication?http#social

That gives me access_token for my SPA. Then I check the token authorization in my private APIs following this guide:

Now, I’m confused about logging out.

I believe I have taken care of the Application Session Layer by simply removing browser cookie. But I’m not sure what to do with the Auth0 Session Layer…

Here is what I have got so far in my nodejs:

server.get("/logout", (req, res) => {
  // removes cookie in browser by setting expires date to the past
  res.cookie("access_token", "", {
    expires: new Date(0),
    path: "/"
  });
  
  // this doesn't seem to be doing anything
  res.redirect(`https://riya.auth0.com/v2/logout?
  client_id=ySfcrTGoTIir&
  returnTo=http://localhost:8081`);
});

I have tried what this endpoint says: Authentication API Explorer

This too Log Users Out of Auth0

What do I do so that after a user logs out, that user will see, for example, the ‘google’ oauth login page when logging in again?

nicolas_sabena · February 16, 2019, 7:11pm

This document talk a little more about logout: Logout

Basically, depending on the scenario the user will have two or three sessions that you might want to clear on a logout.

Your application session (kept either in a cookie or in storage/memory in the case of single page applications or native applications). This session you will want to clear.
The session at Auth0. Auth0 keeps a session for the user, so that the user gets SSO if you use the same Auth0 domain in more than one application (think Google with Gmail, YouTube and so on). You might or might not want to clear this session, depending on your security requirements and whether your Auth0 domain is used for something else. If you want to clear this session, you need the user to navigate to the /v2/logout endpoint (and you can provide a returnTo URL as a final destination, see the docs for that).
The session at the upstream identity provider, if the user authenticated with something other than an Auth0 method. E.g. if the user used a social provider like Google, there still will be a session at Google for the user. If you want to clear that session as well, you need to pass the ?federated parameter to the /v2/logout endpoint. Keep in mind, however, that this is rarely something that a user will appreciate in consumer applications (don’t kill my Google session!).

What do I do so that after a user logs out, that user will see, for example, the ‘google’ oauth login page when logging in again?

What behavior exactly are you getting instead? In the code snippet you show, you are clearing the Auth0 cookie and returning the user to http://localhost:8081 after that. Not sure what your application does at that moment, but if the user (or your application) requests a Google authentication then there will be probably an immediate response without user interaction because the Google session was not cleared (because the federated parameter was not included).