We have set up SSO using Auth0.
We are a SAAS provider and our customer has its user on Azure AD. They login to our platform using the Azure AD credentials.
We update the session and fetch a new id_token/access_token before it expires(10 mins) i.e. We use a rotating refresh_token to fetch new id_token/access_token.
Now if the user is deleted or locked in AD, we are still able to fetch new id_token/access_token for that locked/deleted user, and seems like Auth0 doesn’t check the user’s validity.
We want the user’s session to end immediately(or after current access_token expiry). How can we enforce Auth0 to check the user’s validity before it returns the new id_token/access_token?