Logout fixes: correct client_id + drop pointless ?federated#42
Merged
Conversation
The deployment configmap/secret expose AUTH0_CLIENT_ID and AUTH0_DOMAIN, not VITE_AUTH0_* (those are local-dev only). Reading the VITE_ vars would yield undefined at runtime, breaking the logout URL. Use the non-VITE vars (the same app the server authenticates with, so logout's client_id matches the session), with VITE_ as a local-dev fallback. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
CILogon's OIDC discovery exposes no end_session_endpoint, so Auth0 federated logout cannot end its session — ?federated only produced federated_logout_failed log noise. Plain Auth0 logout still clears the app + Auth0 session; the CILogon/institution SSO session cannot be cleared programmatically. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
robmsmt
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to #41, which squash-merged the first logout version (read
VITE_AUTH0_CLIENT_ID→ fell back to a stale bakedzIcd…app → Auth0 "Oops, something went wrong").Two fixes:
1. Correct client_id
Logout now reads
AUTH0_CLIENT_ID/AUTH0_DOMAINfromprocess.envat SSR runtime (same app the server logs in with), withVITE_as a local-dev fallback.index.astroisprerender = false, so the runtime value wins regardless of what was baked at build time:H9xiOxqgaM9RAmERrjiepeaysysXZHqlBJCp2xHTe471QUCKbfKy6F0indSy7HffBoth already have their logout URLs whitelisted in Auth0. Verified manually: pasting the correct client_id into
/v2/logoutlogs out successfully.2. Drop
?federatedCILogon's OIDC discovery exposes no
end_session_endpoint, so Auth0 federated logout can't terminate its session —?federatedonly producedfederated_logout_failedlog entries. Removed it. Plain Auth0 logout still clears the app + Auth0 session; the CILogon / home-institution SSO session cannot be cleared programmatically (documented limitation of academic federations — users must close the browser for a full SSO logout).npm run buildpasses.🤖 Generated with Claude Code