/v2/logout doesn't remove session layer information

gabor.ottlik.hun · July 9, 2024, 6:51am

I use a Login flow called: Whitelisted user emails.

When I try to login with a non white listed user I get back a callback error. Saying Access Denied, which is exactly what is defined in the flow.
I was told in order to fix the login flow I have to kill the session (with /v2/logout) of the user before another try to push me to the Universal Login page.

So I created a separate login handling in NextJs.

	login: async (req: any, res: any) => {
		try {
			await fetch('http://localhost:3000/api/kill-session');
			await handleLogin(req, res);
		} catch (error) {
			return Response.redirect(
				isProd ? `https://restopage.net` : `http://localhost:3000`,
				301,
			);
		}
	}


export const GET = async () => {
	const isProd = process.env.ENV_TYPE === 'production';

	try {
		const redirectUrl = isProd
			? `https://restopage.net`
			: `http://localhost:3000`;
		const url = `${process?.env?.AUTH0_ISSUER_BASE_URL}/v2/logout?client_id=${process?.env?.AUTH0_CLIENT_ID}&returnTo=${redirectUrl}`;

		return await fetch(url);
	} catch (error: any) {
		return new Response(`Failed to kill Auth0 session`, {
			status: 500,
		});
	}
};

Unfortunately /v2/logout didn’t work out and I’m a bit clueless how to proceed.

Any help are welcomed.

gabor.ottlik.hun · July 9, 2024, 6:58am

Actually I’m locked out of my app. Reverted everything. Removed the whitelist flow and left locked out from my app. Can someone from Auth0 check the logs? Many thanks.

gabor.ottlik.hun · July 9, 2024, 1:45pm

It seems /v2/logout doesn’t clear the session so I have to create a new incognito browser window to be able to get The Universal Login page after clicking on a login button with the following href: /api/auth/login

But this is unacceptable user flow. Is there any way to fix it?

gabor.ottlik.hun · July 9, 2024, 3:03pm

When I try the other logout path:

GET /oidc/logout

const { accessToken } = await getAccessToken();

const url = `${process?.env?.AUTH0_ISSUER_BASE_URL}/oidc/logout?post_logout_redirect_uri=${redirectUrl}&id_token_hint=${accessToken}`;

return await fetch(url);

getAccessToken throws an error saying that user does not have a valid session:

AccessTokenError: The user does not have a valid session.
    at Object.getAccessToken

Topic		Replies	Views
handleLogout Redirect Issue Help management-api , tenants	1	126	July 13, 2024
Logging out completely Help login-experience , new-universal-login-experience	12	7462	August 30, 2024
How to handle access denied response Help login-experience , login-prompt-new-experience	5	719	August 7, 2024
Login/logout issues Help classic-universal-login-experience , login-experience	1	19	October 24, 2024
Logging user out of our app AND auth0 causes secondary bug Help configuration , application	0	15	August 30, 2024

/v2/logout doesn't remove session layer information

Related Topics