I’m currently using the Angular Auth0 SDK and I was previously able to logout using the logout({ redirectTo: url }) function but to be able to update the user’s email address without logging them out I turned on refresh tokens and set the cache location to localStorage. Since then I’m unable to fully logout of the application.
Here’s what happens:
User clicks logout, logout function is called and is successful
User is redirected to our logout page. This logout page is within our single page application.
When I manually navigate to our page’s homepage the user is still logged in
In our tenant logs I can see the a “Success Logout” followed by a “Success Silent Auth” and then a “Success Exchange.” I think this may be due to the refresh token still being active so when the user gets to our logout page the Angular app immediately logs them back in using the refresh token.
I’ve tried manually deleting the token in localStorage and the session cookies but nothing seems to help. Is there a tenant configuration I might be missing or a way to revoke the refresh token from the Angular SDK?
While there isn’t anything specific to the SDK, you can indeed revoke refresh tokens using the Authentication API.
If you’re able to inspect the /authorize call made when this occurs and see that the response_mode = query then this is indeed due to the refresh token - If response_mode=web_message then it is silent authentication via a hidden iframe.
Regardless, I definitely recommend sharing your thoughts and voting for the following feedback request if you’re up to it: