The docs describe that there are three layers of logged-in-ness:
Application
Auth0
IdP
For a smooth experience the sign-in/out button in the App-Bar of my SPA application only signs in and out of the application session layer, and leaves the Auth0-session alive. Of course, this requires a succesful Auth0 and IdP login at some point, but after that it’s smooth sailing.
How bad is it to do this? I guess that if a device is a public machine, this could be taken advantage of by the next user on it.
Edit: After implementing this I see the error in my reasoning. There’s really no point for a user to logout and be able to login again without providing credentials (application-session-layer logoff only).
This post can be deleted, it may cause more confusion than help others…
That’s an interesting UX. If a user explicitly signs out then they would typically expect to sign in again using some for of first-factor authentication. Explicit sign out is typically a way of providing a user with a certain peace of mind that they have terminated their session (and all that entails).
How bad is it to do this? I guess that if a device is a public machine, this could be taken advantage of by the next user on it.
Your analysis here is correct. And it really depends on how long you have the Inactivity timeout or Require log in after parameters set to in your Auth0 tenant as to the potential security impact. Whilst a session in Auth0 is still active it is possible to generate tokens (as though it was the logged in user generating them). The potential security impact of this also depends on the nature of your application(s). Another reason why when a user performs an explicit logout, they expect to actually be logged out and thus protected against such situations