We use Auth0 to log users into several different websites. When a user logs-out of one of our sites, we want to invalidate that user’s session on all sites, forcing them to log-in again.
Thus far, we have achieved this using a global-logout micro-service. When any of our client sites perform a user log-out, it posts the timestamp of the user’s logout to the global-logout server. Then, every 5 minutes or so, every other client site checks to see if a user’s session was created prior to the last global logout - if the session is older, we invalidate that user’s session and force them to log-in again.
The downside with this approach is it means that the user is forced to re-login to every client site after a global logout event. Ideally, after a global-logout event, the user would be able to re-login to Auth0 once, then silent auth (prompt=none
) into all subsequent client sites.
In order to do this we need to be able to identify the age of the user’s Auth0 session when performing the silent-auth, as this would allow us to distinguish between silent-auths for Auth0 sessions that are older than the last logout (and therefore should be full re-auths) and those which are more recent.
I’ve been inspecting the response that comes back from a silent auth (Configure Silent Authentication) and I don’t see any way to identify the Auth0 session age. Am I missing something, or is this not currently possible?
Hey there!
Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.
Wanted to reach out to know if you still require further assistance?