auth0 · shayaantx · Oct 11, 2024 · Jul 18, 2025 · Jul 22, 2025 · Aug 4, 2025
@@ -454,6 +454,7 @@ class ResponseContext {
     res.setHeader('cache-control', 'no-store');
     const logoutToken = req.body.logout_token;
     if (!logoutToken) {
+      debug('req.oidc.backchannelLogout() failed due to missing logout token', req.body);
-      debug('req.oidc.backchannelLogout() failed due to missing logout token', req.body);
+      debug('req.oidc.backchannelLogout() failed due to missing logout token. logout_token present: %s', !!req.body.logout_token);
-      debug('req.oidc.backchannelLogout() failed due to missing logout token', req.body);
+      debug('req.oidc.backchannelLogout() failed due to missing logout token. logout_token present: %s', !!req.body.logout_token);
       res.status(400).json({
         error: 'invalid_request',
         error_description: 'Missing logout_token',
@@ -474,6 +475,7 @@ class ResponseContext {
         algorithms: [config.idTokenSigningAlg],
       });
     } catch (e) {
+      debug('req.oidc.backchannelLogout() failed verifying jwt with: %s', e.message);
       res.status(400).json({
         error: 'invalid_request',
         error_description: e.message,
@@ -483,7 +485,7 @@ class ResponseContext {
     try {
       await onToken(token, config);
     } catch (e) {
-      debug('req.oidc.backchannelLogout() failed with: %s', e.message);
+      debug('req.oidc.backchannelLogout() failed logging out the token with: %s', e.message);
       res.status(400).json({
         error: 'application_error',
         error_description: `The application failed to invalidate the session.`,

@@ -22,7 +22,7 @@ const enforceLeadingSlash = (path) => {
  */
 const auth = function (params) {
   const config = getConfig(params);
-  debug('configuration object processed, resulting configuration: %O', config);
+  debug('configuration object processed, resulting configuration: %O', {...config, clientSecret: "REDACTED", secret: "REDACTED"});
-  debug('configuration object processed, resulting configuration: %O', {...config, clientSecret: "REDACTED", secret: "REDACTED"});
+  const redactSensitiveFields = (obj, fieldsToRedact) => {
+    if (obj && typeof obj === 'object') {
+      return Object.keys(obj).reduce((acc, key) => {
+        acc[key] = fieldsToRedact.includes(key)
+          ? "REDACTED"
+          : redactSensitiveFields(obj[key], fieldsToRedact);
+        return acc;
+      }, Array.isArray(obj) ? [] : {});
+    }
+    return obj;
+  };
+  const redactedConfig = redactSensitiveFields(config, ['clientSecret', 'secret']);
+  debug('configuration object processed, resulting configuration: %O', redactedConfig);
-  debug('configuration object processed, resulting configuration: %O', {...config, clientSecret: "REDACTED", secret: "REDACTED"});
+  const redactSensitiveFields = (obj, fieldsToRedact) => {
+    if (obj && typeof obj === 'object') {
+      return Object.keys(obj).reduce((acc, key) => {
+        acc[key] = fieldsToRedact.includes(key)
+          ? "REDACTED"
+          : redactSensitiveFields(obj[key], fieldsToRedact);
+        return acc;
+      }, Array.isArray(obj) ? [] : {});
+    }
+    return obj;
+  };
+  const redactedConfig = redactSensitiveFields(config, ['clientSecret', 'secret']);
+  debug('configuration object processed, resulting configuration: %O', redactedConfig);
   const router = new express.Router();
   const transient = new TransientCookieHandler(config);