Describe the problem

I'm unable to get idpLogout to work in what might be an edge case. The setup is:

• User signs in with social login
• We have a custom Auth0 rule that rejects this user. They are then redirected back to our callback URL with an error. They are technically not authenticated on our site at this point
• We want to redirect them back to the signin page and have them potentially log in with another account, and in order to do this we set idpLogout to true. Without this, they end up in an infinite loop where Auth0 detects they're signed in already, Auth0 redirects to our callback again, they fail the rule, and are then redirected to our error page again.

However what we're seeing is that setting idpLogout to true does not have an impact on the behavior. I believe it is because of this condition here. The user is technically not authenticated due to the error, !req.oidc.isAuthenticated() is true, and thus it is short circuiting and redirecting straight to the redirectURL. When the user goes back to signin, Auth0 thinks they're authenticated and automatically redirects back to our callback URL with the same error, hence the infinite loop.

What was the expected behavior?

When commenting out the code above, idpLogout works as expected. The user is signed out on Auth0 side and is able login with another account.

My hacky workaround for now is to set the returnTo to ${AUTH0_ISSUER_BASE_URL}/v2/logout?returnTo=${returnTo}&client_id=${client_id}, which works for now.

I am wondering if there is a better solution.

Thanks in advance!

Reproduction

Environment

• version=2.7.2
• NestJS

Hi @danielwong2268 - thanks for raising this

This is expected behaviour, you can only logout of your application if you are already logged in. The SDK offers no API to logout of your Identity Provider if you don't have a local application session. You should use the API directly if you want to do this - as you are doing in your workaround.