Session maintenance at Auth0

I am working with the JAVA SDK for triggering login and other operations.

I would like to know whether every new login request triggers the creation of a new session at Auth0 or it just picks something from the existing session (if it isn’t expired yet).

That would help me clear my mind on whether or not log out from Auth0 is required or just clearing the session locally would work.

I confess that within our SDK’s the Java one is not the one that I’m most familiar with, but as is the case with others the SDK may allow for different authentication flows so the definitive answer to your question requires additional information in order to know which authentication flow you’re using.

For example, if you’re using the resource owner password credentials grant then this flow does not create a session at the identity provider (in this case the Auth0 service). However, if you’re using the authorization code grant which redirects the end-user to the authorization endpoint where they will complete authentication/authorization then a session would be created in the service.

Thanks for the reply @jmangelo
I am using → Log In with Password Realm - /oauth/token
https://github.com/auth0/auth0-java

The resource owner password credentials grant does not trigger a session to be established at Auth0 service.

Hi @jmangelo

I need another help in continuation of this.

Now that we are implementing social login using the /authorize endpoint, I think we will have to log out the user from the identity provider as well, by keeping the federated flag true for the /logout endpoint.

Just need your confirmation, if I am thinking in the right direction. or there is something else that I need to think about.

Thanks in advance!

Hi @jmangelo

I need another help in continuation of this.

Now that we are implementing social login using the /authorize endpoint, I think we will have to log out the user from the identity provider as well, by keeping the federated flag true for the /logout endpoint.

Just need your confirmation, if I am thinking in the right direction. or there is something else that I need to think about.

Thanks in advance!

Yes, the federated option would be the way to trigger the logout also in the upstream identity provider. Just have in mind that this requires that upstream identity provider to honor that logout request and some may also have different requirements. See the docs at (https://auth0.com/docs/logout) which mention supported providers and other specifics.

Hey @jmangelo,
Does the login using social identity provider as per the above discussion, trigger a session establishment at Auth0?