Auth0 does not publish and end_session_endpoint in their openid-configuration.

[dopry]

end_session_endpoint isn't technically required by the OIDC spec, sessions are an optional sub-specification. It would be nice if there were a way to inject the specific missing property into the configuration. Unfortunately the way the getMetadata() method is currently implemented openid-configuration will overwrite any provided meta-data.

More generally it would be nice of the client better handled the signout request if there wasn't an end_session_endpoint available. currently is just throws an exception.

[ayvue]

The same situation exists for using Google OAuth2. We catch the error "no end session endpoint" on using the signoutRedirect method during logging out.

[brockallen]

From my recollection, Auth0's logout endpoint is not conformant to the OIDC end session EP. IOW, theyt don't accept the params as per spec. So my question is then what benefit would doing this metadata merge?

[dgreene1]

@ghost @dopry, may I ask what your workarounds were?

[dopry]

Check out https://github.com/dopry/svelte-oidc/blob/5401fed67175c6cdb512dca788cb2aba7bda8378/src/components/OidcContext.svelte#L83

[dgreene1]

Thank you so much for documenting the solution @dopry. For future readers, I've also reached out to Auth0 about adding compliance to their roadmap. But until I or someone else replies, we should assume that @dopry's solution is the way to go.

[brockallen]

I've also reached out to Auth0 about adding compliance to their roadmap.

You'd think they have the budget now.

[dgreene1]

I've also reached out to Auth0 about adding compliance to their roadmap.

You'd think they have the budget now.

@brockallen I don’t think I’ve laughed that hard in a year. Bravo.

[mellis481]

@dopry Looking at the solution you linked above, why couldn't/wouldn't you just add the following to the OidcClientSettings you use when creating a new user manager instance via new UserManager(settings):

metadata: {
  authorization_endpoint: "https://sample.auth0.com",
  end_session_endpoint: "https://sample.auth0.com/v2/logout?client_id=SDFKSLFJKLSJFDKJSDF&returnTo=https://myapp.com/loggedout"
}

CC: @brockallen

[dopry]

Did it work for you? If so I will look more closely, it would be nice to eliminate the branch in my svelte components.

[mellis481]

@dopry I will try and let you know. :)

[mellis481]

@dopry auth0 was down yesterday, but I was able to test seeing if specifying a end_session_endpoint in the client settings metadata would allow me to logout of an auth0 session. And it worked! It took a bit of back and forth because I had to satisfy complaints one by one that not enough metadata was included. Here are the client settings that ultimately worked:

{
  "authority": "https://sample.auth0.com",
  "client_id": "SDFKSLFJKLSJFDKJSDF",
  "response_type": "id_token token",
  "redirect_uri": "https://my-app.com/authorize",
  "scope": "openid profile",
  "post_logout_redirect_uri": "https://my-app.com/loggedout",
  "metadata": {
    "authorization_endpoint": "https://sample.auth0.com/authorize",
    "end_session_endpoint": "https://sample.auth0.com/v2/logout?client_id=SDFKSLFJKLSJFDKJSDF&returnTo=https://my-app.com/loggedout",
    "issuer": "https://sample.auth0.com/",
    "jwks_uri": "https://sample.auth0.com/.well-known/jwks.json",
    "userinfo_endpoint": "https://sample.auth0.com/userinfo"
  }
}

I'm not sure if your endpoints are the same as mine, but I ultimately consulted the .well-known endpoint to see what the correct values were for me.

Hope this helps!