Force Log-out of Users

How can we force log-out of users? I read in someone’s question that this is not possible (at least the forcing out of all users), but why not? It seems like a reasonable need. For example, when the system is undergoing required maintenance, we should be able to stop people from trying to log-on (which we can do in Auth0), but also log out those people who are logged on (force an expiration of their tokens).

Hey there!

Thanks for showing interest in that. Can you let us know potentially which part of our stack would you choose? Are you developing for web / mobile ?

Hello Konrad, I don’t understand your response. We are using Auth0 currently for web development. We are interfaced with a third-party application that is tied to Auth0 and we are implementing that application, so we have limited ability to do anything with their code. We were hoping there was a way within Auth0 to logout everyone so that when the third-party upgrades their application, users are calling support asking why the system is down. Even though we notify our users, we want to limit the possibility of errors due to people still being logged into the system.

1 Like

Gotchya! Thanks for providing that context! Let me do some research and get back to you shortly!

We are using Auth0 currently for web development. We are interfaced with a third-party application that is tied to Auth0 and we are implementing that application, so we have limited ability to do anything with their code. We were hoping there was a way within Auth0 to logout everyone so that when the third-party upgrades their application, users are calling support asking why the system is down.

Basically here’s the doc that have answers for you! Once you read it let me know if you have any questions!

Hi Konrad,

I read through this document. It doesn’t really address the question. I guess what you are saying is that Auth0 doesn’t have the ability to force all users out of the system. It should in my opinion, because it would be easy for you to expire all the authentication tokens. It would be impossible for my team to clear the users cookies or session because we have no control over Auth0 or the third-party application that we are using.

There’s currently no session management API available for Auth0, though it’s on the roadmap / under development (no ETA).

Regarding

It should in my opinion, because it would be easy for you to expire all the authentication tokens

Access tokens are self-contained JWT, no token introspection, so there’s no way to revoke / expire an access token. Therefore access tokens should be short-lived. It’s only possible to revoke refresh tokens.

Let us know if you have any questions regarding what Mathias added!

Hey there!

Have you had a chance to check our recent messaages?

Ping ping friendly ping :slight_smile: