Overview
This article explains how to implement a single logout (SLO) for applications using the same Auth0 tenant for Single Sign-On (SSO) and provides best practices for implementing SLO for different applications, such as web apps, native apps, and single-page applications.
Applies To
- Single Logout (SLO)
Solution
The user may be logged out of an application using the endpoints expanded on in the article Verifying Logout Implementations. These endpoints help clear the user’s session on Auth0, but they are not sufficient to implement a single logout mechanism.
For applications with backends, the back channel logout mechanism can log users out of multiple applications simultaneously as long as the applications can process the incoming logout requests from Auth0.
This solution will not work for Mobile and SPA-type apps as those apps often do not have a backend. These types of applications usually utilize refresh tokens to renew access tokens. One option could be to revoke the refresh tokens for the logged-out user in one of those backend applications with DELETE /api/v2/users/{userId}/refresh-tokens management API. If the access token lifetime is kept short, this solution can help log users out of these applications in a short window after the logging out happens on the first application.