Logout Redirects Migration Guide
On 01 December 2021, the logout behavior will change to always redirect users to the URI passed to the Auth0 logout APIs instead of using the
returnTo query parameter passed by Identity Providers to the
/login/callback during the execution of the logout. The URI used will depend on the API called to request the session logout:
https://YOUR_DOMAIN/logout: Auth0 will use the
https://YOUR_DOMAIN/v2/logout?federated: Auth0 will use the
If Auth0 does not have a record of a preceding call to one of these APIs, logout will complete, but redirection will not occur and an error page will be displayed to end users.
The following endpoints are affected by this change:
https://YOUR_DOMAIN/v2/logoutwhen using the
federatedquery parameter to log users out of Identity Providers
https://YOUR_DOMAIN/wsfed/YOUR_CLIENT_ID?wa=wsignout1.0when using the
wreplyquery to log out of Auth0 using the WS-Fed Protocol
https://YOUR_DOMAIN/login/callbackwhen using the
Tenants relying on the following usage patterns will not be able to redirect to their desired redirect URI after 01 December 2021.
Applications that call
/login/callback?returnTowithout a preceding call to
/v2/logout or /wsfed/YOUR_CLIENT?wa=wsignout1.0to specify the Logout URL.
Identity Providers that call
/login/callback?returnTowith a value in
returnTothat is different to the value originally provided in a preceding call to
Applications that make concurrent calls to one of the affected APIs while providing different redirection URIs in the different calls.
Applications or users that make calls to the
/authorizeAPI concurrently or interleaved with calls to one of the affected APIs regardless of whether there was a preceding call to
Go to Auth0 Dashboard > Monitoring > Logs, and search for
type:depnote AND description:*unvalidated*redirects*to find applications that rely on the deprecated behavior.
For each affected application, ensure that:
the application does not rely on Identity Providers modifying the Logout URL that is passed back to
/login/callback?returnToas these modifications will no longer be honored.
the application does not make concurrent calls to logout APIs using different Logout URLs. Auth0 will store only a single Logout URL for a user agent at any one time, which means that concurrent logout processes will fail to redirect.
the application does not make calls to
/authorizeconcurrently or interleaved with calls to the logout APIs. Completing a login transaction will clear the stored Logout URL for a user agent, which means that concurrent logout processes will fail to redirect.
the application and users do not interleave calls to
/authorizewith calls to one of the affected APIs.
Once the migration actions have been completed and tested, you should verify the migration.
Once you have migrated your applications and are sure that they no longer rely on the deprecated usage patterns, verify your changes by disabling the deprecated behavior at a time of your choosing and ahead of 01 December 2021.
Go to Auth0 Dashboard > Tenant Settings > Advanced, and locate the Migrations section.
Disable the Unvalidated redirects from /login/callback switch. Turning off this switch disables the deprecated behavior for your tenant, preventing it from being used.
If redirection to the Logout URL does not work as expected after disabling this switch, it is a sign that your application still relies on the deprecated behavior.
Once migrations have been successfully performed and confirmed in production environments, the you can disable the switch permanently to ensure that the deprecated features can no longer be used. On 01 December 2021, Auth0 will remove the deprecated behavior completely together with the associated switch.