Logout endpoint

[gusajz]

Auth0 (but probably other IdPs too) requires redirecting to a specific endpoint upon logout.
Right now, remix-auth just destroys the cookie (without any strategy intervention). Since Auth0 doesn't know, it does not destroy its own cookie. The result is that if the user had logged in using a social connector, for example, during the next login attempt, Auth0 will log them in using the same connector and credentials without asking again.

The solution, in Auth0 case, is the redirect to /v2/logout?client_id=${clientId}&returnTo=${redirectTo}.

In order to do so, remix-auth should let the used strategy do it (or build the redirect URL).

I can think of three different approaches:

1. remix-auth.logout delegates the work to the strategy. To avoid breaking other strategies, a default implementation would be provided in the Strategy base class. One drawback is that the strategy would be responsible for destroying the cookie.
2. remix-auth.logout asks the strategy to build the redirect URL. I am not sure if other identity providers would have any other requirement beside redirecting to a specific endpoint, though.

Any thoughts?

I have a working solution to make a PR.

PS: Thanks for the great work creating this library. It's been a pleasure to work and extend :).

[sergiodxa]

If you need a custom setup it’s easier to do it in your action, strategies are free to expose more methods for app developers to use them. The logout method that comes with Remix Auth is mostly a helper for the majority of the use cases than something you need to do, it’s a few lines of code anyway.

[gforro]

I prefer to introduce a support for logout in the strategy. The reason is as it follows:
We do use Keycloak for authentication and it requires to explicitly destroy the session of the given user on logout (similar to Auth0 described above). In case of Keycloak there are 2 possible ways to do so:

1. Redirect the user to a particular URL in case of logout as described in OpenID Connect Logout spec (similar to Auth0), which destroys the user session in Keycloak (similar to Auth0 as discussed above).
2. Call a REST API endpoint to destroy the session (details can be found in Keycloak source code

For both cases we need to have user related tokens (id-token in case no.1 and access&refresh token in case no.2) which are stored in the user data stored in the authenticator's sessionStorage. The sessionStorage is private in the authenticator and therefor it is awkward requirement that the custom logout function (which is not part of the authenticator and also not called from the authenticator) should get the very same sessionStorage as it was provided for the authenticator's constructor.

It would be a cleaner and more safe logout functionality, if there was a provider dependent logout in the strategy object and that strategy was called from the authenticator's logout (similar as authenticator.authenticate is working). That is:

1. Authenticator's logout could be changed to something like async logout(strategy: string, request: Request | Session, options: LogoutOptions): Promise<never>
2. Strategy's logout could be: public abstract doLogout(session: Session, options: LogoutOptions): Promise<string> where the returned value is the redirect to be used in the authenticator's logout function (the final redirect, which also destroys the session and unset the session cookie)

[gusajz]

Yes, the way I am handling it right now is (pasting it in case it is useful to somebody else):

  const session = await sessionStorage.getSession(
    request.headers.get("Cookie")
  );

  throw redirect(
    "https://XXX.us.auth0.com/v2/logout?client_id=XXX&returnTo=XXX/auth/login",
    {
      headers: {
        "Set-Cookie": await sessionStorage.destroySession(session),
      },
    }
  );

A logout method that does this could be added to the Auth0 strategy, so that the user could call it instead of authenticator.logout.

Although, IMHO it may be a little cleaner to delegate the logout to the strategy somehow as well. I was thinking on implementing a Cognito strategy. If I remember correctly, it would need to do that too. Both options work, though.

[jeremyforan]

Do you mind sharing your Cognito Strategy if you have it available.

[designbyadrian]

I wish this was mentioned somewhere more accessible, since I've spent the entire morning trying to figure out why authenticator.logout didn't log me out from Auth0.

[sergiodxa]

This should probably be mentioned on the Auth0Strategy repo

[danestves]

Actually, we already have that code one month ago on README.md

[franzwilhelm]

@sergiodxa @gusajz @designbyadrian I added issues in both the oauth2 and auth0 strategy repos:

sergiodxa/remix-auth-oauth2#15
danestves/remix-auth-auth0#66