/v2/logout doesn't remove session layer information

gabor.ottlik.hun · July 9, 2024, 6:51am

I use a Login flow called: Whitelisted user emails.

When I try to login with a non white listed user I get back a callback error. Saying Access Denied, which is exactly what is defined in the flow.
I was told in order to fix the login flow I have to kill the session (with /v2/logout) of the user before another try to push me to the Universal Login page.

So I created a separate login handling in NextJs.

	login: async (req: any, res: any) => {
		try {
			await fetch('http://localhost:3000/api/kill-session');
			await handleLogin(req, res);
		} catch (error) {
			return Response.redirect(
				isProd ? `https://restopage.net` : `http://localhost:3000`,
				301,
			);
		}
	}


export const GET = async () => {
	const isProd = process.env.ENV_TYPE === 'production';

	try {
		const redirectUrl = isProd
			? `https://restopage.net`
			: `http://localhost:3000`;
		const url = `${process?.env?.AUTH0_ISSUER_BASE_URL}/v2/logout?client_id=${process?.env?.AUTH0_CLIENT_ID}&returnTo=${redirectUrl}`;

		return await fetch(url);
	} catch (error: any) {
		return new Response(`Failed to kill Auth0 session`, {
			status: 500,
		});
	}
};

Unfortunately /v2/logout didn’t work out and I’m a bit clueless how to proceed.

Any help are welcomed.

gabor.ottlik.hun · July 9, 2024, 6:58am

Actually I’m locked out of my app. Reverted everything. Removed the whitelist flow and left locked out from my app. Can someone from Auth0 check the logs? Many thanks.

gabor.ottlik.hun · July 9, 2024, 1:45pm

It seems /v2/logout doesn’t clear the session so I have to create a new incognito browser window to be able to get The Universal Login page after clicking on a login button with the following href: /api/auth/login

But this is unacceptable user flow. Is there any way to fix it?

gabor.ottlik.hun · July 9, 2024, 3:03pm

When I try the other logout path:

GET /oidc/logout

const { accessToken } = await getAccessToken();

const url = `${process?.env?.AUTH0_ISSUER_BASE_URL}/oidc/logout?post_logout_redirect_uri=${redirectUrl}&id_token_hint=${accessToken}`;

return await fetch(url);

getAccessToken throws an error saying that user does not have a valid session:

AccessTokenError: The user does not have a valid session.
    at Object.getAccessToken