Redirect to calback URL after Logout

I’m trying to implement a function that logs out from both the application session layer and the Auth0 session layer.

I’m using Auth0 Vue SDK.
With the logout implementation below, only the application session was cleared, leaving the Auth0 session intact. As a result, if the user reopened the universal login screen, they would be automatically logged in, which is a critical flaw.

  await auth0.logout({
    logoutParams: {
      returnTo: redirectUrl(),
    },
  });

I referred to this issue and this documentation.

const  logoutUrl = `https://MY_DOMAIN/v2/logoutreturnTo=MY_LOGIN_PAGE_URL&client_id=MY_CLIENT_ID`

  await auth0.logout({
    openUrl: () => {
      window.location.replace(logoutUrl);
    },
  });

However, after logging out, the user is redirected to a different page than the URL specified by returnTo.

That different page is the callback URL set as the redirect destination after login.

  const auth0 = createAuth0({
    authorizationParams: {
      redirect_uri: `https://.../callback/`, // ← This page!
    },
  });

After redirected to callback page, subsequently the user is redirected to the returnTo page.

This means there’s one unexpected redirect in the logout process.
Application page → /logout endpoint → callback URL → returnTo page

I expect this kind of process.
Application page → /logout endpoint → returnTo page
( Strangely, sometimes it directly redirects to the returnTo page. It behaves as I expected, but it only happens occasionally. )

Is this an expected behavior, or a bug?

Hi @t.fukao,

I understand you observed an extra redirect when users are logging out.

I have taken a close look at your const logoutURL and noticed that your URL was not correctly formed.

It should have the format:
https://YOUR_DOMAIN/v2/logout?returnTo=YOUR_LOGIN_PAGE_URL&client_id=YOUR_CLIENT_ID

I have tested this on my end and confirmed that it works.

Could you give that a try and let me know how it goes?

Thanks,
Rueben

Thank you @rueben.tiow .

I’m sorry, I made a typo when I was raising this issue.
There is an ? between logout and returnTo.

I’m encountering this issue with a correctly formatted URL.

Hi @t.fukao,

Thanks for the clarification.

Can you review your network activity and verify the request at each stage of the logout flow?

Specifically, ensure that the logout endpoint is called correctly with the returnTo query parameter and that no other requests redirect you back to your callback URL.

What you observe seems unusual. During my tests, I was redirected to my returnTo URL immediately after calling the /logout endpoint.

Thanks,
Rueben

Thank you @rueben.tiow .

I’ve checked the network activity.

①
The status of logout endpoint was canceled.
The parameters were set correctly.

②
After that, authorize endpoint was called 4 times.
They were canceled 3 times, and last one returned 302.

The redirect_uri paramater was the callback URL.

③
Next, redirected to the callback URL.
It has the same state parameter as authorize endpoint did.

④
Next,the logout endpoint was called again.
The parameters were same as the first step.

⑤
Finally, redirected to the login page.

Moreover, I’m having trouble with a number of other strange occurrences.
After I logged out, I’m redirected to the app’s home page as being authenticated.
After entering my credentials and clicking the login button in Universal Login Page, I’m redirected to Universal Login Page again and prompted to re-enter my credentials.

I hypothesize that the underlying cause of all problems is a failure to terminate the Auth0 session layer upon logout.

Introducing a few seconds delay using setTimeout before executing auth0.logout improved the likelihood of successful logout.

I suspect that third-party cookies or session record on the Auth0 server are being deleted during this delay, but I’m not sure.