How to properly signout from IDP server?

[dszy579]

I've configured a single logout with auth.signoutRedirect() with a logout button in the UI.

Here is my configuration:

auth config

export const oidcConfig: AuthProviderProps = {
  client_id: '...',
  authority: '...',
  redirect_uri: '...',
  metadata: {
    issuer: '...',
    authorization_endpoint: '...',
    token_endpoint: '...'
    end_session_endpoint: '/oauth2/logout',
    frontchannel_logout_supported: true,
    frontchannel_logout_session_supported: true,
  },
  automaticSilentRenew: false,
  monitorSession: true,
  post_logout_redirect_uri: '...',
  onSigninCallback: () => {
    window.history.replaceState({}, document.title, window.location.pathname)
  },
}

logout implementation:

  const onLogout = async () => {
    await auth.signoutRedirect()
    window.sessionStorage.clear()
  }

When the user clicks the logout button, the web app will trigger auth.signoutRedirect() and clear the session storage related to oidc:user. and will be redirected to the IDP logout page to show that the user has successfully signed out.

But, when the user tried to access the web again it seemed like it wasn't completely logged out. I noticed that the web still got the authorization code params automatically on the browser which then makes the user stay logged in.

Any idea why this happened? how to properly logoff the user completely from the app and IDP?

[ValGab]

Hello, did you use auth.removeUser() with auth.signoutRedirect() ?

Here is my implementation

onClick={() => {
                auth.removeUser();
                auth.signoutRedirect({ id_token_hint: auth.user?.id_token });
              }}

[dszy579]

@ValGab thank you for your response, I've updated the issue to add more context to my logout implementation and it seems I made a mistake when calling the clear session method.

I've tried your implementation, but still no luck.