When you detect an error, you need to explicitly log the user out. This is roughly what we do:
res
.redirect(
302,
`${auth0Config.issuerBaseUrl}/v2/logout?${new URLSearchParams({
client_id: auth0Config.clientId,
returnTo: `${auth0Config.baseUrl}welcome`
})}`
)
.end();
Curiously, using the logout URL from […auth0].ts did NOT work. We had to use the URL shown above.