Closed danielwong2268 closed 1 year ago
Hi @danielwong2268 - thanks for raising this
This is expected behaviour, you can only logout of your application if you are already logged in. The SDK offers no API to logout of your Identity Provider if you don't have a local application session. You should use the API directly if you want to do this - as you are doing in your workaround.
Describe the problem
I'm unable to get
idpLogout
to work in what might be an edge case. The setup is:idpLogout
to true. Without this, they end up in an infinite loop where Auth0 detects they're signed in already, Auth0 redirects to our callback again, they fail the rule, and are then redirected to our error page again.However what we're seeing is that setting
idpLogout
to true does not have an impact on the behavior. I believe it is because of this condition here. The user is technically not authenticated due to the error,!req.oidc.isAuthenticated()
is true, and thus it is short circuiting and redirecting straight to the redirectURL. When the user goes back to signin, Auth0 thinks they're authenticated and automatically redirects back to our callback URL with the same error, hence the infinite loop.What was the expected behavior?
When commenting out the code above,
idpLogout
works as expected. The user is signed out on Auth0 side and is able login with another account.My hacky workaround for now is to set the returnTo to
${AUTH0_ISSUER_BASE_URL}/v2/logout?returnTo=${returnTo}&client_id=${client_id}
, which works for now.I am wondering if there is a better solution.
Thanks in advance!
Reproduction
Environment