I have made a website that uses Auth0 to authorise logins such that only a selected group of people can access the site. Initially, everything was working fine: when I hit the logout button, which I have linked to https://domain.auth0.com/v2/logout?returnTo=…, I get a ‘successful logout’ in the logs, but the user is still logged in on the machine.
Also, if I delete that user, it is still able to access the website even when I clear the cache. What am I doing wrong? It worked to begin with and was logging users out, so I’m not really sure what’s changed.
I would like to add that I have made a new tennant, tried the whole thing again but now somehow it is doing the same thing even though I haven’t even registered any allowed callback URLs. The login works, then it logs out, but then the user is still permitted access even when technically not logged in. I suppose this is a cookie issue as when I clear cookies it prompts me to log in again - but how do I clear cookies on logout?
From the situation you’ve described in your first post, it sounds you haven’t logged the user out of your application and you’re just calling the logout endpoint in Auth0. This will clear the session in Auth0 for the user, but not clear any sessions in your application that you use to track that the user has logged in.