Access Tokens for the Management API
You can log a user out of the Auth0 session and (optionally) from the identity provider (IdP) session. When you're implementing the logout functionality, there are typically three session layers you need to consider:
Application Session Layer: The first layer is the session inside your application. Though your application uses Auth0 to authenticate users, you'll still need to track that the user has logged in to your application. In a regular web application, you achieve this by storing information inside a cookie. Log users out of your applications by clearing their session. You should handle the application session in your application.
Auth0 Session Layer: Auth0 also maintains a session for the user and stores their information inside a cookie. The next time a user is redirected to the Auth0 Lock screen, the user's information will be remembered. Log users out of Auth0 by clearing the JSON Web Token (JWT)Single Sign-on (SSO) cookie.
Identity Provider Session Layer: The last session layer is the identity provider layer (for example, Facebook or Google). When users attempt to sign in with any of these providers and they are already signed into the provider, they will not be prompted again to sign in. The users may be asked to give permission to share their information with Auth0 and, in turn, your application. It is not necessary to log the users out of this session layer, but you can force the logout. (For more information, see Log Users Out of Identity Providers and Log Users Out of SAML Identity Providers.)
Quickstarts for logout functionality
For guidance on how to implement logout functionality in your specific type of application and sample code, refer to our Quickstarts for the following types of applications:
- ASP.NET (OWIN)
- ASP.NET (System.Web)
- ASP.NET Core
- Java Spring MVC
- Java Spring Security
- PHP (Laravel)
- PHP (Symfony)
- Ruby on Rails
Redirect users after logout
After users log out, you can redirect users to a specific URL. You need to register the redirect URL in your tenant or application settings. Auth0 only redirects to whitelisted URLs after logout. If you need different redirects for each application, you can whitelist the URLs in your application settings.