LogoutUrl endpoint doesn't pull username to log/monitoring

Context: My team is attempting to use embedded login for our React-Native mobile app. When we use logoutUrl to fetch the /v2/logout endpoint it returns something like this:

(https://{ourTenant}.auth0.com/v2/logout?auth0Client=eyJuYW1lIjoicmVhY3QtbmF0aXZlLWF1dGgwIiwidmVyc2lvbiI6IjIuMTcuNCJ9)

Then, I call it like this:


    fetch(logoutUrl)
      .then(response => {
        console.log(response.status);
      })
      .catch(error => {
        console.log("Calling logout url failed: " + error);
      });

This returns a 200 response, but I notice this in the monitoring logs:

Do we know why these user, connection, and application values are missing? Should I be logging out this way in the first place? What value is the auth0Client as I don’t see that documented?

Any help will be greatly appreciated! :grinning:

Kyle

Hey @ksmith :wave:

Are the users successfully logged out of your application after these logs are seen in the tenant?

From my experience, no user/connection/application in the Successful Logout log occurs when the Auth0 /v2/logout endpoint is called for a user who does not have a valid or existing session.

For example, you can manually go to https://{yourTenant}.auth0.com/v2/logout numerous times without being logged into your application and still receive 200 “OK” responses and then see those requests in your tenant logs without the user/connection/application info.


You can also confirm whether a user has actually logged out of the application by looking for a session_id field in the details object of the Successful Logout details.

Logout for user with valid/existing session

  "details": {
    "allowed_logout_url": [WHITELISTED_LOGOUT_URLS],
    "session_id": "i9yi.....fxh2"
  },

vs

Logout for user without valid/existing session

  "details": {
    "allowed_logout_url": [WHITELISTED_LOGOUT_URLS]
  },
1 Like

Thanks for the response @gparascandolo.

I think you are right this is not logging the user out as I don’t have the sessionId in the logout details. For login, I get a “Success Exchange” for the user, which leads me to think when I call logout/v2/ this “auth0client” variable and/or value it is not the correct path for logging out. I’ve tried several combinations of this url with different params, and tried the OIDC Endpoint but all results are the same. Still banging my head against the wall trying to figure out what isn’t right.

“allowed_logout_url”: [WHITELISTED_LOGOUT_URLS]

I did notice nothing returns in this logout urls array for me, even though a few are saved in the “Allowed Logout URLs” on the Auth0 Dashboard. I’m wondering if that is a problem.

1 Like

Re: “Allowed Logout URLs” in the tenant logs - if you pass the client_id parameter to the /v2/logout endpoint, the array will be filled with values assigned to that specific application.

If you do not pass the client_id parameter to the /v2/logout endpoint, this array will be filled with values assigned within the global Tenant > Advanced settings.

Are you showing the logout option to users who are actively logged in only?
If so, have you tried using the build-in clearSession method as seen in the Quickstart docs? Auth0 React Native SDK Quickstarts: Login

1 Like

Are you showing the logout option to users who are actively logged in only?

That is the intent, yes. This is still new development so the goal is to call the endpoint to log the user out and if that is successful call clearCredentials to wipe the accessToken from the user’s device.

If so, have you tried using the build-in clearSession method as seen in the Quickstart docs? Auth0 React Native SDK Quickstarts: Login

The issue with clearSession is that from our understanding it is only compatible with universal login approach. I would like to see clarification on that point as I could be mistaken.

@ksmith Sorry, I missed the detail of you using embedded login method for your React Native mobile app.

Are you using the Resource Owner Password flow for the embedded login and storing the tokens via the credentials manager? In this case, I think its okay to simply remove the credentials from the user’s device.

If you have requested refresh tokens, you can also revoke them as part of your logout function (See this doc: Revoke Refresh Tokens)

@gparascandolo

Sorry for the delay, and yes, we are using the Resource Owner Password flow w/ credentials manager - no refresh tokens at this time. I am hopeful that the solution is that simple as it would only require a clearCredentials call from the react-native-auth0 SDK. Any chance you could explain why removing from the device should be sufficient? Is no login session being created on the Auth0 side? I see “Success Exchange” in the log activity if that helps.

Hey @ksmith, this post explains why the /v2/logout endpoint is not applicable when Resource Owner Password flows are used:

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.