How can social user invalidate all sessions?

Let’s assume some user logs in to any web application (let’s say, https://manage.auth0.com/) using Auth0 via Google-oauth2 and then loses his device he used to log in.
He immidiatelly accesses his Google account from any other device and forces logout from that device. He even goes to security → connected apps and removes that Auth0 app there.

Yet still, auth0 session on that stolen device remains active and getAccessTokenSilently still provides new tokens based on that session (!)

What can that poor user do?
If nothing, what can we do as developers?

When resetting password, the session is killed as far as I know… maybe that’s the solution you are expecting

1 Like

Thanks @leandro.torres! Welcome to the Auth0 Community!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.