Problem statement
Will blocking a user end their session immediately or upon the next login? Will a currently logged-in user be logged out immediately if the user is blocked in the Auth0 tenant dashboard?
Solution
Blocking a user will invalidate the current Auth0 session, so the next time the user calls /authorize to the Auth0 tenant, they will be prompted to log in again even when presenting non-expired session cookies. If they attempt to use the blocked account, the application will receive an “unauthorized” error stating the “user is blocked.”
However, this will only affect the Auth0 session layer. If the application has a local session, this is not managed by Auth0 and thus will not be impacted by the block immediately. A user could potentially keep using the application if they don’t need to get new access tokens, for example, and/or had a local cookie that allowed the user to browse the application.
- See Logout.
Access tokens are also valid until they expire, so if the users are calling APIs, it might be necessary to use short-lived access tokens to limit the length of time a blocked user could continue to make API calls if blocking access quickly is desired.
If needed to log users out of the application’s local session when blocking them, it is necessary to periodically poll the /authorize endpoint using the “prompt=none” parameter (AKA silent authentication) to check if the user still has a valid session on the Auth0 side:
- Check out Poll with checkSession().
The Auth0 SPA SDK could, for example, make use of the getTokenSilently method to check if the user has a session, but note that by default, it will not send a request to Auth0 if there are valid tokens in its cache. For this reason, shorter-lived access tokens are better for synchronizing sessions between Auth0 and the local application layer, but the cacheMode can also be set to off to always send a request to Auth0. GitHub resources are listed below:
In the event the user is blocked (or their session has expired/ logged out elsewhere), it will return a “login_required” error when performing silent authentication. This should be an indicator to the application that the user needs to log in again, and their local session should be invalidated. If they go to log in again in the browser, a blocked user will be unable to authenticate and will be instead redirected to the application’s callback URL with a “user is blocked” error.
Alternatively, it is possible to implement a mechanism triggered on the application side when blocking the user in Auth0 to delete their local session on the application.