We have been a bit frustrated by using Auth0 as after building the solution we have come to know from the docs and community forms that Auth0 provides no support for deprovisioning/blocking users if they are blocked/deleted in identity provider(Azure AD in our case).
Handling it ourself i.e. in a rule is also not simple as
- It adds a lot of latency
- If the user doesn’t come to our site, how do we know that he has been deleted/blocked in the source system.
Some other issues are
- While returning a new access token for refresh token, Auth0 doesn’t check in the source system, if the user is still active or not
- The only simple way is to keep the refresh token time a bit less so that the user is redirected to Azure AD and his status could be checked if he is active or not, and this is not at all a good user experience for end-user.
We are now thinking to remove Auth0 and switch to some other provider.