How to fully logout user session plus clear oauth data

So I am experiencing a challenge with logout logic.

We’re using auth0 configuration with Discourse oauth2 and the problem is when we trigger logout using currentUser.destroySession(), the Discourse session is terminated since the user is logged out but oauth data is somehow still cached?

What do I mean here?

Context: when you are using SSO, you would expect that when user logs out from your site, the next time they try to log back in, they will be directed from your site to the SSO page where they can enter their credentials and once authenticated, the user will be redirected back to your site with an active session.

So using this context above, Discourse does not seem to completely logout the user hence whenever I logout from discourse, works well, but whenever I try to log back into my forum site, Discourse does not trigger SSO page again, somehow it strill remembers the previously logged in SSO account, so it automatically picks and logs in the user, which is very strange.

And this basically would mean I am stuck with that user, I cannot change to a different user account, unless probalby I use incognito or a completely different browser :frowning:

Expectation: Once I click log out, the next try to log back in I should be taken to my auth0 SSO page where I can do the needful and then I will be redirected back to the Discourse forum.

Seems to be a problem with currentUser.destroySession() on how it clears the session plus oauth data?

I have tested also with manually doing an API call to destroy the user session with, still same results, no improvements:

fetch(`https://MY_FORUM.discourse.group/admin/users/USER_ID/log_out`, {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Api-Key': 'API_KEY',
    'Api-Username': 'ADMIN_USERNAME',
  },
})

Please share insights on this if you have an idea how to fix/approach logout when using oauth.

1 Like