Best practice: How to kick newly blocked users out of active sessions

We’re looking to disable the UI of our application if we block a user in auth0. Right now, we only know if the user is blocked when they attempt to log in. What are some methods you recommend for checking user/org metadata in auth0 without hitting the api rate limits by checking each user on each page load? What’s the best way to store user metadata that changes often? Should we store it outside of auth0?


Thank you for posting @misley !

I’m happy to assist you in discovering the solution you’re looking for.

If we are looking for an answer to how to end a user session on the Auth0 (IdP) layer, this session is invalidated once a user is blocked.

To invalidate a local application session (the UI you are mentioning), there is a way for that as well (that shouldn’t cause you troubles with rate limiting if we follow the recommended 15-minutes interval between calls) - please take a look at this doc, especially the part:

If needed to log users out of the application’s local session when blocking them, it is necessary to periodically poll the /authorize endpoint using the “prompt=none” parameter (AKA silent authentication) to check if the user still has a valid session on the Auth0 side.

Please let us know your thoughts and follow-up questions!

Thanks for the reply. Is there a similar process for getting latest app_metadata? Or do we need to rely on regular API hits for that?

You’re welcome @misley !

You can also use Actions to get the app_metadata and make login decisions based on them, an example:

exports.onExecutePostLogin = async (event, api) => {
  if (event.user.app_metadata.didAnExpensiveTask) {
    console.log(`Skipping the expensive task because it already occurred for ${}.`);
  // do and expensive task
  api.user.setAppMetadata("didAnExpensiveTask", true);

Hope this helps! Please let us know if you have any questions.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.