Key Concepts

  • Review different session layers.

  • Learn how to redirect users after logout.

You can log a user out of the Auth0 session and (optionally) from the identity provider (IdP) session. When you're implementing the logout functionality, there are typically three-session layers you need to consider:

  1. Application Session Layer: The first layer is the session inside your application. Though your application uses Auth0 to authenticate users, you'll still need to track that the user has logged in to your application. In a regular web application, you achieve this by storing information inside a cookie. Log users out of your applications by clearing their sessions. You should handle the application session in your application.

  2. Auth0 Session Layer: Auth0 also maintains a session for the user and stores their information inside a cookie. The next time a user is redirected to the Auth0 Lock screen, the user's information will be remembered. Log users out of Auth0 by clearing the Single Sign-on (SSO) cookie.

  3. Identity Provider Session Layer: The last session layer is the identity provider layer (for example, Facebook or Google). When users attempt to sign in with any of these providers and they are already signed into the provider, they will not be prompted again to sign in. The users may be asked to give permission to share their information with Auth0 and, in turn, your application. It is not necessary to log the users out of this session layer, but you can force the logout. (For more information, see Log Users Out of Identity Providers and Log Users Out of SAML Identity Providers.)

Redirect users after logout

After users log out, you can redirect users to a specific URL. You need to register the redirect URL in your tenant or application settings. Auth0 only redirects to URLs from the allow list after logout. If you need different redirects for each application, you can add the URLs to your allow list in your application settings.

Learn more