Setting idpLogout to true is not working as expected
danielwong2268 opened this issue · comments
Describe the problem
I'm unable to get idpLogout
to work in what might be an edge case. The setup is:
- User signs in with social login
- We have a custom Auth0 rule that rejects this user. They are then redirected back to our callback URL with an error. They are technically not authenticated on our site at this point
- We want to redirect them back to the signin page and have them potentially log in with another account, and in order to do this we set
idpLogout
to true. Without this, they end up in an infinite loop where Auth0 detects they're signed in already, Auth0 redirects to our callback again, they fail the rule, and are then redirected to our error page again.
However what we're seeing is that setting idpLogout
to true does not have an impact on the behavior. I believe it is because of this condition here. The user is technically not authenticated due to the error, !req.oidc.isAuthenticated()
is true, and thus it is short circuiting and redirecting straight to the redirectURL. When the user goes back to signin, Auth0 thinks they're authenticated and automatically redirects back to our callback URL with the same error, hence the infinite loop.
What was the expected behavior?
When commenting out the code above, idpLogout
works as expected. The user is signed out on Auth0 side and is able login with another account.
My hacky workaround for now is to set the returnTo to ${AUTH0_ISSUER_BASE_URL}/v2/logout?returnTo=${returnTo}&client_id=${client_id}
, which works for now.
I am wondering if there is a better solution.
Thanks in advance!
Reproduction
Environment
- version=2.7.2
- NestJS
Hi @danielwong2268 - thanks for raising this
This is expected behaviour, you can only logout of your application if you are already logged in. The SDK offers no API to logout of your Identity Provider if you don't have a local application session. You should use the API directly if you want to do this - as you are doing in your workaround.