How can social user invalidate all sessions?

piotr.jablonski · July 13, 2023, 4:23pm

Let’s assume some user logs in to any web application (let’s say, https://manage.auth0.com/) using Auth0 via Google-oauth2 and then loses his device he used to log in.
He immidiatelly accesses his Google account from any other device and forces logout from that device. He even goes to security → connected apps and removes that Auth0 app there.

Yet still, auth0 session on that stolen device remains active and getAccessTokenSilently still provides new tokens based on that session (!)

What can that poor user do?
If nothing, what can we do as developers?

leandro.torres · November 27, 2023, 6:57pm

When resetting password, the session is killed as far as I know… maybe that’s the solution you are expecting

dan.woda · November 28, 2023, 2:01pm

Thanks @leandro.torres! Welcome to the Auth0 Community!

system · December 22, 2023, 5:55pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Destroy/Revoke all active sessions after password reset Help sessions , refresh-token-revocation	5	3652	October 31, 2024
Auth0 is not invalidating all the active session after password reset : Nextjs 14 Help configuration , application	2	42	October 11, 2024
Invalidate user's Auth0 session programmatically Help auth0	1	2773	November 14, 2024
Log out of multiple devices Help	6	4863	September 2, 2019
Unable to revoke refresh tokens Help auth0 , refresh-tokens	2	2065	December 21, 2022

How can social user invalidate all sessions?

Related topics