I’m working on integrating Auth0 into an ASP.NET / react application using cookie auth via the auth0-aspnetcore-authentication package.
My issue is that the user auth is never re-validated e.g.
- If their claims are updated in auth0, they are not updated in my application
- If the user resets their password, the user is not logged out of my application
- If the user is deleted, the user is not logged out of my application
I would expect that the user session would periodically be re-validated and claims be updated, it that not the case? If not, how can I manually trigger the session/claims to update without logging the user out periodically?
I see support for backchannel logout, but this is an enterprise feature and I think a periodical validation/refresh would be acceptable. I also see an “Id Token Expiration” setting against the application, but in my test configuring this to be 60s doesn’t seem to do anything.