Let’s assume some user logs in to any web application (let’s say, https://manage.auth0.com/) using Auth0 via Google-oauth2 and then loses his device he used to log in.
He immidiatelly accesses his Google account from any other device and forces logout from that device. He even goes to security → connected apps and removes that Auth0 app there.
Yet still, auth0 session on that stolen device remains active and getAccessTokenSilently still provides new tokens based on that session (!)
What can that poor user do?
If nothing, what can we do as developers?
This is a heads-up that we’re hosting an Ask Me Anything (AMA) session dedicated to Auth0 sessions, refresh tokens, and the Management API. Our product experts will be on hand February 12, 2025, from 8 AM to 10 AM PST to answer all your questions—no matter how basic or advanced they may be! You can submit your queries anytime from now until February 11, and we’ll provide detailed written answers during the live event.
This is a fantastic opportunity to learn best practices around session management, refresh token rotation, and the Management API. Plus, everyone who participates gets points and a special badge just for joining in on the fun.
If you have any burning questions (or even casual curiosities!), feel free to drop them in this thread. We can’t wait to see what you’re working on and how we can help you optimize your Auth0 setup. See you there!
