- Which SDK this is regarding: e.g. auth0-react
- SDK Version: e.g. 1.9.0
We’ve come up with an interesting flow that I’m not sure what the expectations are. Essentially this boils down to user A being logged into our app and then user B logging in via alternate means, but on the same computer. The Auth0 SDK for react leaves the original user logged in.
- User A logs in with chrome
- User B uses our sign up form in Firefox on the same PC
- New User B gets a password reset/verification email and opens it in chrome
- User B completes the password reset process (now in chrome on the same PC) and is redirected back to our app by Auth0
- Our app calls
getTokenSilentlybut recieves the cached token for User A
Should Auth0 be clearing out the session of the original user? Or is this a weird edge case?
We stumbled upon this while testing out a custom signup+password reset flow we put in place using password reset tickets.