If you implement Auth0 for login, you may be tempted to skip implementing logout. I started out just with a
/logout/ page that cleared my own site's cookies, ignoring the Auth0 side of it.
Since users were still signed in to Auth0 (still had cookies there), this meant that if they clicked "login" again after clicking "logout" they would be logged straight in without needing to authenticate at all.
There are two problems with this approach:
For example, a couple who share the same computer and want to sign into their own separate accounts. I ran into this use-case pretty quickly!
The good news is this is easy to implement via a redirect. Clear your own site's cookies and then send them to:
returnTo URL is where Auth0 will return them to. I used my site's homepage.
It needs to be listed under "Allowed Logout URLs" in the Auth0 settings.
Relevant Auth0 documentation:
I implemented this for pillarpointstewards/issues/54, in this commit.
Created 2022-04-03T18:18:12-07:00 · Edit