Redirecting to the auth0 logout endpoint shows Successful Logout but the auth0 session remains logged in

We are implementing a logout action within our application which first destroys the user’s session within our application, then redirects the user to the auth0 tenant domain’s logout endpoint. The name for this I believe is a SP initiated logout. Specifically SP (our app) to Idp (Auth0), in this case is our application logout redirects to the Auth0 logout endpoint.

Expected behavior: After redirecting the user to the auth0 logout endpoint, the auth0 session gets cleared for that user. Then when the user initiates a new login from our application, they will have to reauthenticate on auth0.

Observed behavior: After redirecting the user to the auth0 logout endpoint, the auth0 session remains. Initiating a login on auth0 from our application authenticates with the pre-existing session on auth0, and the previously logged in user is authenticated on our application without seeing the universal login page.

What I’ve tried:

Set the sso_disabled: false in the auth0 client web application’s configuration following this guide:

First set the auth0 tenant Settings > Advanced > Session Expiration > Session Policy: Persistent

Approach 1:
Using https://auth0.com/docs/api/authentication/logout/auth-0-logout (the /v2/logout endpoint)

Then in our application, we’veimplement the following.

1. The user clicks a ‘/logout’ link in our application this calls destroy session in our app.
2. The app redirects the user to TENANT_DOMAIN/v2/logout

Testing this:

1. log in in a new browser
2. The user is authenticated, logged into our app
3. Click the logout link in our app
4. Redirect is successful to TENANT_DOMAIN/v2/logout We see a blank screen with the text ‘OK’
5. Go back to our app, the user is logged out in our app.
6. Check the logs in the Auth0 tenant and see a “Successful Logout” log.
7. Click the login link on our app
8. The previous user is silently authenticated on auth0 and redirected to our app as the user from step 1, they are not shown the universal login screen

Approach 2:
Using https://auth0.com/docs/api/authentication/logout/oidc-logout (the /oidc/logout endpoint)

I tried a very similar approach, and I did read the docs specific to oidc so I tried a few additional parameters.

Included the id_token_hint, a client_id which matches the ‘aud’ in the id_token.

The test results

1. log in in a new browser
2. The user is authenticated, logged into our app
3. Click the logout link in our app
4. Redirect is successful to TENANT_DOMAIN/v2/logout We see a styled logout screen with a logo and green check
5. Go back to our app, the user is logged out in our app.
6. Check the logs in the Auth0 tenant and see a “Successful Logout” logout screen.
7. Click the login on our app
8. The previous user is silently authenticated on auth0 and redirected to our app as the user from step 1, they are not shown the universal login screen

More info for debugging:

The Successful logout logs in the 2 approaches for Success Logout were sparse with information, the values for user_id, user_name, connection_id were empty strings. I think they should have the values set in the logs, and the session id/sid is missing. So that is suspicious.

When sso_disabled: true in the auth0 client web application’s configuration, the user is always prompted to login on every authentication so the problems described dont occur, however I believe we want the auth0 session to persist unless we specifically redirect the user to any of these logout endpoints.

Any information or help on this issue is appreciated.

Hi @seb.dtrg

Welcome to the Auth0 Community!

Could you let me know what type of application and SDK are you using? Usually, this behaviour would indicate that you are not clearing the session with either Auth0 or with the application. You can read more about sessions here.

Also, the user that does not get logged out, does he log in using an account they signed up on the application or using a social/enterprise connection? You can try to pass in the federated parameter to the /logout endpoint to see if any of the behaviour changes.

Otherwise, if you can provide me through a DM the tenant and application name on which you experience this behaviour so I can take a look, that would be great.

If you have any other questions, let me know!

Kind Regards,
Nik

Hello,

We are using a Regular web application in auth0, and our SDK is ruby on rails.

The user I’m logging in with is logging into our auth0 Regular web application with a Username Password Database connection. I’m not using the federated parameter or Social login to keep the test simple, but that is something I want to explore after resolving the issue with the auth0 session not being cleared.

I did try the federated parameter, as well as the /logout endpoint and I observed the same behavior.

Locally I was able to clear the user’s application session, and the user does appear logged out on our application when I initiate the logout on our end by clearing the session object. The issue seems to be on the auth0 application which persists session even when a successful logout screen and log is shown.

I have a question, what is the expected behavior from what I described?

Kindly,
Sebastian

Hi @seb.dtrg

I have checked your tenant logs for the specified application and it appears that the log itself does not appear to contain the following values:

• connection_id
• user_id
• user_name

This is one of the Successful Logout logs and their contents:

{
  "date": "{REDACTED}"",
  "type": "slo",
  "connection_id": "",
  "client_id": "{REDACTED}",
  "client_name": "{REDACTED}"",
  "ip": "{REDACTED}"",
  "user_agent": "{REDACTED}"",
  "details": {
    "return_to": "{REDACTED}"",
    "allowed_logout_url": [
      "{REDACTED}"",
      "{REDACTED}""
    ]
  },
  "hostname": "{REDACTED}",
  "user_id": "",
  "user_name": "",
  "$event_schema": {
    "version": "1.0.0"
  },

This is a successfull logout log from my personal tenant:

{
  "date": "{REDACTED}",
  "type": "slo",
  "connection": "{{connection_name}}",
  "connection_id": "{{connection_id}}",
  "client_id": "{REDACTED}",
  "client_name": "{REDACTED}",
  "ip": "{REDACTED}",
  "user_agent": "{REDACTED}",
  "details": {
    "allowed_logout_url": [],
    "session_id": "{REDACTED}"
  },
  "hostname": "{REDACTED}",
  "user_id": "auth0|{{user_id}}",
  "user_name": "{{user.email}}",
  "$event_schema": {
    "version": "1.0.0"
  }

As you can see, the values for the specified parameter are "", indicating that they are empty.
It appears that your application does not provide these details to the /logout endpoint thus your application “logging out the user” however their session is still valid on Auth0.

If I can help with anything else, please let me know!

Kind Regards,
Nik

Hello Nikita,

Thanks for sharing expected behavior. If you can help me by explaining how to ‘send details’ to the logout endpoint, that would be helpful.

I noticed that those values were missing as well, and my suspicion that the auth0 logout session wasnt being cleared was because something like the auth0 session id, sid value, wasnt being passed along.

I’ll share some questions I have.

Is it in the auth0 documentation how to pass this information along to the logout endpoints?
What is the required information to pass to the logout endpoints?

Specifically for v2/logout, and oidc/logout documentation, I couldnt find more details

For oidc logout I was sending the id_token_hint correctly as a parameter (the original encrypted id_token in the rails omniauth.auth credentials id_token), and that does contain the sid, user_id etc. I did get a JWT Malformed token error, but I solved that by sending the encrypted jwt to the oidc id_token_hint parameter instead of the unencrypted version.

Why were the tenant logs showing “Successful Logout”, if required params were missing?
Why was the page the user lands on for the auth0 web app also showing successful logout messages?

What is the difference between /logout, v2/logout, oidc/logout and in which case do I want to use each?

Sincerely,
Sebastian

I would highly recommend to take a look at our Ruby on Rails SDK and sample application in order to see how they are configured and what you might have done different.

Generally, if your application is able to receive the ID Token, Access Token and the session cookie, redirecting the user to the logout endpoint should take care of that of everything. If your application is able to receive all the proper tokens and cookies, then it would be quite weird why the logout is not handled accordingly.

What is the difference between /logout , v2/logout , oidc/logout and in which case do I want to use each?

The /logout and v2/logout are esentially the same thing, since the first would be considered the general logout endpoint used for applications and for the Authentication API. It is recommended to use the /v2/logout endpoint when redirecting the user for logout.

You can read about the differences of the /v2/logout and /oidc/logout in this knowledge article

Otherwise, I can see that your tenant is under an Enterprise plan, you can also submit a support ticket in order to receive live support and have a much deeper and thorough investigation on your application if needed.

Kind Regards,
Nik