Allow to override logoutUrl

[Alvaro948]

Hi,

I am not sure if this should be considered a bug, or if is maybe a missunderstanding. I have been using this library with Auth0 for years without problem, but since last week at least I detected a problem with the logout.

I am not sure but it seems that Auth0 has started returning end_session_endpoint on openid-configuration, this is important because until now he have been using this as:

export const authConfig: AuthConfig = {
    [...]
    // Logout URL, we have to log out from IdP (Identity Provider) also to remove cookies and so on
    // https://auth0.com/docs/api/authentication?javascript#logout
    logoutUrl: `https://${environment.AUTH_DOMAIN}/v2/logout?client_id=${environment.AUTH_CLIENT_ID}&returnTo=${returnTo}`,
    [...]
}

But if I am not wrong, if end_session_endpoint is provided by the openid-configuration it replaces the configured logoutUrl see https://github.com/manfredsteyer/angular-oauth2-oidc/blob/master/projects/lib/src/oauth-service.ts#L558, causing the logout() method ot redirect to that URL, instead of the configured.

As far as I have seen the key diference is:

• /v2/logout: The one in my config, is specific for Auth0, is intended to work with the cookie based session
• /oidc/logout: The one that came from openid-configuration, is OIDC conformant. and needs an id_token, sid or similar.

So, adding postLogoutRedirectUri could solve the issue:

export const authConfig: AuthConfig = {
    [...]
    postLogoutRedirectUri: returnTo`,
    [...]
}

But in my use case when a user has an expired password, the login is denied via Auth0 Action. This causes:

• No id_token provided to the client, only a redirect with an error message
• An active cookie on Auth0, because the user entered a valid password

This Auth0 cookie disallows the user to entering the Auth0 login window, where the reset password is, and sends the to the error page once again.

So maybe the problem is Auth0, for now I have done the following in order to emulate what the library, I think, should do:

-this.oauthService.logOut();

+localStorage.removeItem('PKCE_verifier');
+localStorage.removeItem('access_token');
+localStorage.removeItem('access_token_stored_at');
+localStorage.removeItem('expires_at');
+localStorage.removeItem('granted_scopes');
+localStorage.removeItem('id_token');
+localStorage.removeItem('id_token_claims_obj');
+localStorage.removeItem('id_token_expires_at');
+localStorage.removeItem('id_token_stored_at');
+localStorage.removeItem('refresh_token');
+localStorage.removeItem('session_state');

+const params: HttpParams = new HttpParams({
+    fromObject: {
+        client_id: this.oauthService.clientId,
+        returnTo: this.oauthService.postLogoutRedirectUri
+    }
+});

+location.replace(`https://${environment.AUTH_DOMAIN}/v2/logout?${params.toString()}`);

To Reproduce
Steps to reproduce the behavior:

1. Create an Auth0 tenant
2. Add an action like

exports.onExecutePostLogin = async (event, api) => {
  api.access.deny(`Your password too old`);
}

3. With your Angular application, login, and you will be redirected to the error page on your application
4. On that error page, try to execute logout(), it will cause an error on Auth0 or say the that the url is not in the "Allowed logout URL"

Desktop (please complete the following information):

• OS: Any
• Browser: At lest Chrome, but I would say any
• Version: 19.0.0

If there is anything else I can help, just let me know, thanks!

[Alvaro948]

Currently the end_session_endpoint param is no longer present on the openid-configuration, I will ask Auth0 about this.

EDIT: Auth0 says that the inclusion on the end_session_endpoint was an internal issue, they give an option to enable it under Settings > Advanced, and since you leave this toggled off this should be OK:

But leaves me with the question of why the library is not allowing me to override that URL if end_session_endpoint
is present in the openid-configuration, this could be a issue if in the future Auth0 enforces the usage of that param.