Logout not working in Oauth setup

Hi there,

We have a small issue where pressing the logout button does not result in the user being logged out

Our setup

We have a Vue.js frontend, where you can authenticate with Auth0. After you’re logged in you can press the messageboard button and you’ll be redirected to our Discourse board, where once again you’ll be authenticated with Auth0.

Installation
I followed this tutorial.

Bug description/reproduction

When you press logout on the Discourse forum, it briefly shows a modal with a refresh button, but then automatically refreshes the page and loads the forum without being logged out.

Here’s a screenshot of the browsercalls being done. I’m not sure about the red error calls, as they seem to be triggered after the red error calls again and then they seem to succeed.

I can’t find anything in the debug logs that related to this.

Expected behavior

The user is logged out of Auth0, causing the page to redirect to Auth0 login page

2 Likes

Hmmm, the problem is that users do get logged out, but then they get automatically logged back in immediately. One solution is to set the logout redirect setting to some external site, so that people don’t get logged straight back in. Or maybe you could even set it to /login :thinking:

I’ll have a think about this over the next few days and see if we can come up with a better solution. It is confusing to have a logout button that does… nothing.

6 Likes

This only happens when using:

  • Single sign on / a single auth strategy with disabled local logins
  • login required enabled

Maybe we add a warning to the dashboard when both conditions are met telling the user to properly set the logout redirect elsewhere? It’s a relatively uncommon config to get into where the admin can spend an extra 5 seconds setting the logout address.

7 Likes

@david Redirecting to the login page is a good solution, thanks! Agreed with @Falco that you might need a warning to set this, else it causes strange behavior!

6 Likes

Great!

As @Falco said, this is pretty rare, but I think I will configure the default logout redirect to /login for login_required sites - nice and simple, and that way we don’t rely on people actually reading a warning.

3 Likes

/login doesn’t trigger automatic login on login required + SSO ?

3 Likes

Correct. A little counter-intuitive, but that’s how it’s always worked for SSO, and therefore it’s the same for this new single-authenticator mode.

5 Likes

I opened a PR for this issue - it also solves the same issue for SSO sites

2 Likes

This topic was automatically closed after 30 hours. New replies are no longer allowed.