Azure Static Web Apps is able to integrate with OIDC-compliant identity providers such as Auth0 for authentication. One caveat I have experienced using Auth0, however, is that when the user visits /.auth/logout, the user is only signed out of the Azure Static Web App but not on Auth0, a behavior described in this thread.

In my case, since I wanted users to be shown the Auth0 login page by default when they receive a 401 Unauthorized error, and all my routes (except login) are protected, I end up having a "login loop" that I suspect behaves like this:

1. User logs out via /.auth/logout

2. User's session in Azure Static Web Apps is revoked

3. User is redirected back to the Static Web App

4. Since the user's session in Azure has been revoked, Azure redirects the user to the login route

5. In my case, I have the login route bound to Auth0's login (with all other providers disabled); Thus, the user is redirected to Auth0

6. Since the user is still logged in with Auth0, they are automatically logged back in to the Static Web App with a new session

To fix this, we will have to log the user out of both Azure Static Web Apps and Auth0. The recommendation in the aforementioned thread is to use Auth0's logout API

I have thus created a new route in the Static Web App's config:

{
      "route": "/logout",
      "redirect": "https://<AUTH0_DOMAIN>/v2/logout?client_id=<AUTH0_APP_CLIENT_ID>&returnTo=https://<STATIC_WEB_APP_DOMAIN>/.auth/logout"
}

Then the following Allowed Logout URLs have to be added in your Auth0 application settings:

• https://<STATIC_WEB_APP_DOMAIN>/.auth/logout

• https://<STATIC_WEB_APP_DOMAIN>/logout

This has the following effect when the user visits /logout:

1. Log out the user from Auth0

2. Redirect the user to Azure Static Web App's /.auth/logout endpoint

3. Log out the user from Azure Static Web Apps

Now, when the user tries to reload the page, they are greeted with Auth0's login page — indicating that they are logged out both from the Static Web App and Auth0.