I have a react SPA using auth0 SP with a SAML auth0 Idp for authentication. The login authentication is working great. the problem is the logout, when users click on a logout button, it triggers the
logout auth0 hook, which i think It calls the
v2/logout endpoint, and it redirects the users to the logout callback, the problem is that the auth0 cookies are not being cleared out, so if the user tries to log in again, it is automatically signed in without prompting credentials. When I manually clean the cookies after each logout the app behaves the way it’s supposed to.
I tried setting the session expiration from 36000 to 60 seconds, but that didn’t help. I also tried using the
v2/logout as shown here Authentication API Explorer, but it didnt work.
Just letting you know how we do logout which may help in your case.
Instead hardcoding the Auth0 domain name in logout url we are reading from context object so we are sure that we don’t send to a different Auth0 Tenant/Instance (we have sandbox and prod in our org). And passing the client_id parameter with returnTo URL, beacuse the returnTo needs to be whitelisted logout url at client level. I think if we add the returnTo url at tenant level logout whitelisting we can avoid client_id parameter.
Thanks for your answer, unfortunately, that doesn’t work in my case, because the auth0 hook is already building the correct logout url to match the Auth0 tenant/client, and I can verify the logout was successful in the auth0 monitoring logs, the problem is that the auth0 session cookies are not cleared in the browser, therefore the user is not being asked for credentials when they press the login button, and as this doc Log Users Out of Auth0 suggests, on logout the auth0 cookies will be cleared, am I missing something here?
Hi Alex, did you figure this out? I am having the same issue.
Seeing the same behaviour here. We are in the middle of moving from auth0.js to auth0-spa.js in our angular application. Logging out via an iframe was working when using auth0.js but stopped after to switching to auth0-spa.js. It appears the logout is actioned in the auth0 logs but the cookies remain.
As an experiment I loaded the logout URL in a new window and it correctly cleared the cookies so it appears to be an issue with iframe only.
Appears to be related to Chrome blocking third party cookies in incognito mode. Allowing all cookies in the chrome setting restored the expected behaviour. Not really how to proceed, since if the user has disallowed third party cookies then the logout in iframe solution will never work and its also difficult to detect it didn’t work so hard to recover from.