Hello!
I can’t get the OIDC /Logout endpoint to log users out of their Auth0 session.
My app’s overall architecture is that it has a React front-end that calls a Node.js back-end server (called server.js) which has API endpoints that the front-end calls to log in, fetch user data, and log out; server.js then interacts with Auth0 to obtain tokens and get user info.
My logout functionality is implemented as follows: in the user’s profile page is a logout button which, when pressed, calls server.js’s /logout endpoint, while sending it the access and ID tokens that are stored in the localStorage of the browser.
server.js uses the ID token to implement the logout URL per the Use the OIDC Endpoint to Log Users Out of Auth0 article.
The ID token was originally retrieved when the user signed in as follows (ROPF flow):
const { AuthenticationClient } = require('auth0');
const auth0AuthClient = new AuthenticationClient({
domain: AUTH0_DOMAIN,
clientId: AUTH0_CLIENT_ID,
clientSecret: AUTH0_CLIENT_SECRET,
});
// ...
const tokenResponse = await auth0AuthClient.oauth.passwordGrant({
username,
password,
audience: MY_AUDIENCE_URL,
scope: 'openid',
});
const idToken = tokenResponse.data.id_token;
I then build my logout URL as follows:
const auth0LogoutUrl = `https://${AUTH0_DOMAIN}/oidc/logout?id_token_hint=${idToken}&post_logout_redirect_uri=${LOGOUT_REDIRECT_URL}`;
=> PROBLEM: While I get a HTTP 200 “OK” response when server.js GETs the logout URL, I noticed that the application’s logs (from the Auth0 dashboard) had “N/A” as a value in the User field of the logout event (see screenshot below).
This leads me to believe that the user’s Auth0 session was not terminated. Per the Use the OIDC Endpoint to Log Users Out of Auth0 article:
The attached ID token contains the registered claims issuer (iss), audience (aud), and the Auth0 session ID (sid) for verification.
When looking at my ID token’s payload, there is no sid value:
{
nickname: 'test',
name: 'test',
picture: 'https://s.gravatar.com/avatar/...avatars%2Fte.png',
updated_at: '2023-10-11T17:04:43.919Z',
email: 'test@test.com',
email_verified: true,
iss: 'https://...us.auth0.com/',
aud: '...',
iat: 1697043883,
exp: 1697079883,
sub: 'auth0|...'
}
1) Is there no user associated with the logout event because my ID Token has no sid claim? 2) How do I add the sid claim to my ID Token if that is what will successfully terminate the user’s Auth0 session?
Any and all help would be appreciated!