Logout is clearing credentials stored in local storage for ALL client_ids

[cmotsn]

Describe the problem

We use auth0-angular SDK to provide authentication for multiple Auth0 clients on the same website, with the cacheLocation: 'localstorage' configuration option.

In other words, the website https://example-website/A has its own login button for a Auth0 with client_id_a, and https://example-website/B has its own login button for a Auth0 configured with client_id_b.

Because A and B share a hostname, they share the same local storage.

Login works as expected: when I login for A, I am not logged in for B, and reciprocally. This is because local storage keys include the client_id, allowing to differentiate A and B.

But when I log out from A, the stored credentials for B are also cleared from the local storage, which should not happen.

What was the expected behavior?

Logging out from sectionA should only clear out stored credentials for sectionA, without impacting stored credentials for sectionB.

Reproduction

• On Auth0, configure two separate clients with each it's own client_id.

• Create an SPA that has a login/logout button, and configure it to use one or the other client_id based on the url /A or /B (or whatever), with option cacheLocation: 'localstorage'.

• Go to your-app/A, login for A

• Reload the page to your-app/B, login for B

• Check that local storage contains stored credentials for A and B.

• Reload the page to your-app/A, logout for A

• See that local storage was cleared of credentials for both A and B

Environment

• Version of auth0-spa-js used: 1.22.5
• Which browsers have you tested in? Firefox, Chrome
• Which framework are you using, if applicable (Angular, React, etc): Angular
• Other modules/plugins/libraries that might be involved: auth0-angular

Possible cause

This probably stems from the call made in Auth0Client.logout() to cacheManager.clear():

auth0-spa-js/src/Auth0Client.ts

Line 831 in ab09110

await this.cacheManager.clear();

Because the client_id to clear is not specified, the cacheManager clears ALL auth0 keys:

auth0-spa-js/src/cache/cache-manager.ts

Line 130 in ab09110

async clear(clientId?: string): Promise<void> {

[frederikprijck]

Thank you for reaching out!

I was able to reproduce this on v2 of Auth0-SPA-JS as well, and believe we should have the option to be able to only logout from the current client, while also still allowing logging out from all client id.

I opened a PR to address this, but basically the idea is that if logout({clientId: null}) is called, we would still clear all data for all clients. But on all other cases we'd use the provided clientId or fallback to the gobally configured clientId.

[cmotsn]

Thank you ! 🙏