Force Log-out of Users

amckendrick · February 13, 2020, 12:19pm

How can we force log-out of users? I read in someone’s question that this is not possible (at least the forcing out of all users), but why not? It seems like a reasonable need. For example, when the system is undergoing required maintenance, we should be able to stop people from trying to log-on (which we can do in Auth0), but also log out those people who are logged on (force an expiration of their tokens).

konrad.sopala · February 13, 2020, 2:25pm

Hey there!

Thanks for showing interest in that. Can you let us know potentially which part of our stack would you choose? Are you developing for web / mobile ?

amckendrick · February 15, 2020, 8:38am

Hello Konrad, I don’t understand your response. We are using Auth0 currently for web development. We are interfaced with a third-party application that is tied to Auth0 and we are implementing that application, so we have limited ability to do anything with their code. We were hoping there was a way within Auth0 to logout everyone so that when the third-party upgrades their application, users are calling support asking why the system is down. Even though we notify our users, we want to limit the possibility of errors due to people still being logged into the system.

konrad.sopala · February 17, 2020, 2:46pm

Gotchya! Thanks for providing that context! Let me do some research and get back to you shortly!

dev-0ilpxm50 · February 18, 2020, 7:46am

We are using Auth0 currently for web development. We are interfaced with a third-party application that is tied to Auth0 and we are implementing that application, so we have limited ability to do anything with their code. We were hoping there was a way within Auth0 to logout everyone so that when the third-party upgrades their application, users are calling support asking why the system is down.

konrad.sopala · February 18, 2020, 7:48am

Basically here’s the doc that have answers for you! Once you read it let me know if you have any questions!

amckendrick · February 18, 2020, 10:18am

Hi Konrad,

I read through this document. It doesn’t really address the question. I guess what you are saying is that Auth0 doesn’t have the ability to force all users out of the system. It should in my opinion, because it would be easy for you to expire all the authentication tokens. It would be impossible for my team to clear the users cookies or session because we have no control over Auth0 or the third-party application that we are using.

mathiasconradt · February 18, 2020, 10:52am

There’s currently no session management API available for Auth0, though it’s on the roadmap / under development (no ETA).

Regarding

It should in my opinion, because it would be easy for you to expire all the authentication tokens

Access tokens are self-contained JWT, no token introspection, so there’s no way to revoke / expire an access token. Therefore access tokens should be short-lived. It’s only possible to revoke refresh tokens.

konrad.sopala · February 18, 2020, 12:17pm

Let us know if you have any questions regarding what Mathias added!

konrad.sopala · February 26, 2020, 6:32pm

Hey there!

Have you had a chance to check our recent messaages?

konrad.sopala · February 28, 2020, 2:04pm

Ping ping friendly ping