Currently I am spiking out using the Customer Account API for user authentication with a view to implementing this on our headless app. I have managed to create a headless test app to log the user in, retrieve the access token and retrieve the user information. However logging out the user doesn’t appear to actually log them out.
To be specific the app redirects to the authorisation page (Customer Account API reference) and upon successfully entering email & login code the callback is called with the code which is then used to obtain the access token (Customer Account API reference) which is then stored in cookie along with the id_token that is also returned. I then use the id_token to logout the user with the logout endpoint (Customer Account API reference) which appears to succeed and so my app deletes the cookies. But when the process is repeated and the app invokes authorization again, the page doesn’t ask for the email address. Instead it directly calls the callback with the tokens which suggests to me the user is still logged in.
Why is the user still logged in ?
Did you ever resolve this? I am facing the same issue with only one customer. Customer experiences it with different accounts on different devices.
I can’t reproduce, not even using one of their accounts. So I think it is “person-related”, which is so weird.
I’m going to meet them in a few days to oversee device settings and how the login is done but maybe you have a hint on what to look out for or why this happened on your end?
In my case I wasn’t actually doing a redirect to the login url and was only trying to post to the url. This was the reason for me. Am guessing you’re already doing that correctly.
Thank you for taking the time to reply. I am redirecting customers to the login page, so that should be working fine. Anyway, I’ll double-check that again. It seems so basic, maybe that’s why I missed something. Thanks again!
May or may not be relevant to you but I finally found out what’s happening.
Sending any accept header other than text/html makes the logout route reject the request with an HTTP error 406 and the customer not being logged out. We were sending accept: */*. Omitting the header also works fine but if you send it, it’s got to be text/html.