I too am experiencing the same issue. In my use case, most users have access to only one of the many applications configured. I am using a login flow Action to control this access.
I have removed the api.access.deny() call and replaced it with api.redirect.sendUserTo(‘https://{my domain}.eu.auth0.com/v2/logout’) call which works in that the user is logged out with a simple “OK” message on the screen. If I immediately use api.redirect.sendUserTo({URL}) following the logout, I am redirected to the URL but the user was not logged out and a state value is included in the address bar and results in the infinate loop again.
When I add the returnTo parameter to the logout, I get an error that the URL is not in my Allowed Logout URL list although it most assuredly is. Another suggestion in this case is to include ‘?client_id={CLIENT_ID}’ and therein lies the rub. I need to be able to obtain the current CLIENT_ID value the user is using (which application they are attempting to login to).
The client_id can be obtained via event.client.client_id. Using this I can redirect back to the login page and the user is logged out however, there is no indication to the user that anything is wrong like why the login failed.
I expect that the web page redirected to will need to be a page that provides the “Not authorized” message.