Hi there, I have a question around how sessions are managed at the auth0 layer.
In our application, we persist sessions server side, so we can revoke sessions at the application layer.
Currently the only way someone is able to change their password is via the forgot password link in the universal login.
I have setup a post password change action to call an endpoint in our application layer, to delete all sessions in our application server side session store, using the user_id from the event object. So the next time they try to authorize using an old cookie (our application cookie) they are unauthorized. My understanding was that the auth0 session is invalidated when a password is changed, so we just need to handle our application layer.
What i’m finding is if there are other sessions still active on multiple devices, an unauthorized error is returned from our application, they are then redirected to auth0 to login again, but it seems as though the Auth0 session on another device does not automatically get invalidated at the Auth0 layer when a password is changed, as they hit the authorize endpoint in Auth0 and that is successful without logging in again. They are redirected to the auth0 success callback in our application and a new session established.
How do I ensure that all Auth0 sessions are invalidated at the auth0 layer?
I can see that there is this API to delete all user sessions, but I get this error
[error] API request failed: 403 - {“statusCode”:403,“error”:“Forbidden”,“message”:“Subscription missing entitlement”,“errorCode”:“feature_not_enabled”}
What level of subscription is needed to get that feature enabled? And will that solve my problem?
Alternatively, if I store the auth0 session ids, would the other option be to call the logout endpoint Log Users Out of Auth0 with OIDC Endpoint with each of the session ids and our client id to ensure that all sessions are logged out?
I might be missing something, but this is what I’m finding when testing with multiple devices.