Single logout across multiple appilications

I’ve been doing research to find out if it is possible to log a user out of all applications at once. You see as a standard across the likes of Google and almost every single company that undertakes a sso solution.

I’m a bit at odds as to how this works with auth0. I know you call the logout api and clear the access_token in the browser, however if I’m on another application I would still be logged in as the access token still exists and is not expired .

Is there no api we can call to expire all the sessions for the user?

For all applications to know the user has signed out, you’d need to contact all applications and tell them to log out the current user.

The way it’s proposed somewhere way way waaay down in the docs (can’t find it right now), is to have a signout page with hidden iframes to all applications you want to log out. The page you request in the iframe is a logout page or, even better, a blank page that also forces a logout, as the user wouldn’t see the page and loading the whole application would therefore be a waste of data.

An older example of this can be found in this GitHub repo. Do note it’s an example from 2016 and the /ssodata endpoint isn’t available anymore. The only implication would be that you can’t check which applications the user is actually logged into, so you’ll just have to blindly request a logout from every single one of your applications.

1 Like

@thijmen96 Thanks for getting back to me. It honestly takes ages to get a reply back on this community forum :stuck_out_tongue: . You would think there would be one endpoint that would be able to achieve this.

On the logout docs page, it state to call the https://{YOUR_DOMAIN}/v2/logout url. I wasn’t aware there were separate logout endpoints for each application. The other way they state to check the session periodically. I was hoping there would just be an endpoint that we could call.

auth0.checkSession(function (err, data) {
    if (err) {
      // if we get here, it means there is no session on Auth0,
      // then remove the token and redirect to #login
      localStorage.removeItem('userToken');
      window.location.href = '#login';
    }
  });
}, 900000)

There indeed is only one endpoint you can call for Auth0. That clears the Auth0 SSO session. However, there’s no way for Auth0 to let your applications know they need to log out the current user (unless you’re using SAML, which does have single logout support built in, but I’m gonna assume we’re talking about OAuth 2 or OpenID Connect here).

After sending your users to the Auth0 logout endpoint, you can have Auth0 redirect them somewhere else. That’s what I was talking about: a page hosted by you that calls all your applications through hidden iframes to force a logout on every single one of them.

You can also do it the other way around, with checkSession, but that would only check the session every say 15 minutes (depends on what interval you use in your code, but Auth0 recommends at least 15 minutes to prevent running into rate limiting). I’d say the first method of forcing a logout on every application is clearer to your users.

2 Likes

Thank you @thijmen96 for the help. We are planning to go down the first option “After sending your users to the Auth0 logout endpoint, you can have Auth0 redirect them somewhere else. That’s what I was talking about: a page hosted by you that calls all your applications through hidden iframes to force a logout on every single one of them.” for the exact reason you mentioned.