Pass a State Parameter During Logout Using the Auth0 React SDK
Passing a state parameter during logout maintains application context and prevents Cross-Site Request Forgery (CSRF) vulnerabilities.
Bypassing the Auth0 SDK logout function to achieve this skips essential local cleanup processes. To safely pass a state parameter, use the openUrl option within the SDK logout method to clear local data before redirecting to the OpenID Connect (OIDC) compliant /oidc/logout endpoint.
- Auth0
- Auth0 React SDK
- OIDC Logout Endpoint
- State Parameters
Developers use the state parameter to maintain context or prevent security vulnerabilities after redirecting back to the application. Attempting to pass this parameter by bypassing the Auth0 SDK logout() function skips the essential local cleanup process. This bypass leaves old session data and tokens active in the browser.
To safely pass a state parameter while ensuring Auth0 clears local session data, configure the openUrl option within the SDK logout() method and redirect to the OIDC-compliant /oidc/logout endpoint.
Construct the OIDC logout URL with the required parameters and call the SDK logout() function using the openUrl option by implementing the following JavaScript code snippet:
// Construct the OIDC logout URL with the required parameters
const oidcLogoutUrl = `https://${domain}/oidc/logout?id_token_hint=${idToken}&post_logout_redirect_uri=${returnTo}&state=${stateToPass}`;
// Call the SDK's logout function with the openUrl option
logout({
openUrl: () => window.location.replace(oidcLogoutUrl)
});
