I have a SSO logout question. (Another one of those things that should be theory is easy, but in the real world isn’t.) Basically I have 4 different applications, all using different backend tech (python, typescript, ruby), with front-end either SPA or Next JS app. I’ve setup SSO to share login session across the apps, but when it comes to logging out, I seem to have a problem where if I logout of app A, I’m still logged-in to app B.
I’m sure this can’t be a new problem, so asking what is the best approach to ensure that logging out from app A, means I’ve logged from all ( app B, app C, app D)?
From what you are describing, it appears that you are clearing the application session of the specific user but not their entire session with Auth0 so that the other applications are logged out as well. You can read more about the different session layers in our documentation.
May I ask how is the user connected to multiple apps? Do all the apps use the same tenant with similar user stores? If so, you might want to either redirect the user to the /logout endpoint so that you completely erase their sessions with all their applications. However, if the user’s sessions are being persisted by those applications as well, you might want to look into deleting all of their sessions by using the Management API.
Thank you for taking the time to reply. In answer to your question, I’m using a single tenant which is shared by all the my apps (app A, app B, app C, etc). This being the case, they also all share the same user management setting. Also with this single tenant, I’ve created specific auth0 ‘Applications’ which I map to app_metadata key/value to help give finer control over which user I allow full access to ‘my’ applications. (some user can access all, some only 1 or 2). So it’s the users that can access multiples of ‘my’ application that I want the single logout to end the session for all ‘my’ application.
I’ve followed the approach for deleting user sessions, which although the API request return successful (202), when I do a redirect/refresh, I’m still logged in. My expectation is that I would redirected back to our login page as that’s the behaviour where user hasn’t a session. Is there something more I need to do?
For reference, I’m using Next.js v14 to manage the UI in the first instance to test this approach.
Could you also let me know if you are using Refresh Tokens and different subdomains for all of your applications?
It appears that even if the Auth0 session is being cleared, the application session is being persisted since it does not check frequently enough for their session. As per our documentation, this can be handled in two ways:
Have short timeouts on your local session and redirect to Auth0 at short intervals to re-authenticate. This can be done by calling checkSession from the client which does this redirect in a hidden iFrame. If you take the hidden iFrame approach you need to be aware of rate limits and third-party cookie issues.
Handle this entirely at the application level by providing your applications a way to notify all other applications when a logout occurs.
Otherwise, one way you may implement this is possibly having your own session management API, a user logout on one app sets a flag there (posting the user_id, email, connection, client_id etc). You have key pages in your applications that poll your session management API and if a record exists for the user and connection, this indicates a logout has occurred (check if the logout is recent using a configurable threshold maybe) then within that application redirect the user to our logout endpoint and perform any application level session clear up if relevant.