I have created 2 application using flask and use Auth0 for SSO. In that after login i store user info in flask session.When i click on logout that time it will clear that session and redirect to Auth0 logout url.
Now, my question is when i click on logout from one application than that will clear session at application level. How can i clear session to other application which is on different domain or is there any thing in Auth0 to notify my all application when i logout?
Redirecting users to the logout endpoint does not cover the scenario where users need to be signed out of all of the applications they used. If you need to provide this functionality you will have to handle this in one of two ways:
Have short timeouts on your local session and redirect to Auth0 at short intervals to re-authenticate. NOTE: this can be done by calling checkSession from the client which does this redirect in a hidden iFrame. If you take the hidden iFrame approach you need to be aware of rate limits and third-party cookie issues.
Handle this entirely at the application level by providing your applications a way to notify all other applications when a logout occurs.
Well, like the page says you can periodically redirect to auth0âs authorize endpoint to ensure a session is still active. The auth0 client has a checkSession method which does this for you. If you donât use the official client, then just do it manually by redirecting yourself.
The other option described on the page is to use some sort of messaging system. Redis comes to mind, but there are other options. If you chose Redis, you would want to set up pub-sub (publish-subscribe) messaging. When a user logs out, publish their user id with a message of âlogoutâ or something. On other applications, receive this and then reset the local state so they are âlogged outâ.
The second option is more complex. Redirecting to the authorize endpoint is probably the easier option, and potentially the smarter option but I am not informed about your architecture so that is a decision you need to make yourself.
In any case, the gist is that you need to sync auth state. Either you can do that yourself, or you can delegate to auth0 to tell you.