I use the spa-sdk to orchestrate authentication using Auth0, but have custom authz implementation server side.
I was looking for a way to invalidate a user’s auth0 session cookie/token using user management APIs, for situations where I want to force a user to log out and log back in. All the documentation I can find talks about redirecting the user to the logout endpoint, but to do that I’ll need to build a bunch of things that I can avoid doing if there’s a way to get the auth0 management api to do this for me instead.
Unless I’m missing something, the API you linked to is what I can redirect/send my users to in order to log them out. I am interested in being able to terminate their session from the backend system, without having the user navigate to /v2/logout, and without having access to their specific session tokens. For instance, a “invalidateAllSessions” type API that my application can hit, with the user’s identity info along with ways to validate the client_id of my application.
Is that a capability that Auth0 allows for/exposes?
@konrad.sopala@dan.woda thought I’d ping once more before assuming this isn’t a supported capability, and find other ways to solve this problem.
Also, if you’re keeping score somewhere, would love for this to be something Auth0 allows for – it’ll make server-side management of user sessions much easier to manage.
This isn’t a feature we offer at the moment, but this request is something we are aware of. Thanks for sharing your use-case and for the detailed feedback!