I have an app where I need to be able to log a user out so that they can log back in.
To log the user out, I am making a call to:
https://<domain>/v2/logout?client_id=<clientId>&returnTo=<redirectUri>&federated
The issue is that instead of getting a 302 as expected and having the user logged out of their SSO, sometimes the call returns an OK with a 200 status and signs the user back in.
I am aware of this issue with Auth0, as per this Auth0 community post but passing the client_id and the returnTo parameters was supposed to handle it.
This happens with a Google account and it seems that the user is indeed logged out of Auth0 but not actually from the SSO provider.
Any ideas on how to fix this? Thank you
In case anyone comes across this again, I believe the answer is actually pretty simple.
The behavior described above happens when someone tries to perform a logout using the v2/logout url, while not having an active Auth0 session.
The end-point will not flag this but instead will respond with either a 200 or a 302 without additional actions.