How can social user invalidate all sessions?

piotr.jablonski · July 13, 2023, 4:23pm

Let’s assume some user logs in to any web application (let’s say, https://manage.auth0.com/) using Auth0 via Google-oauth2 and then loses his device he used to log in.
He immidiatelly accesses his Google account from any other device and forces logout from that device. He even goes to security → connected apps and removes that Auth0 app there.

Yet still, auth0 session on that stolen device remains active and getAccessTokenSilently still provides new tokens based on that session (!)

What can that poor user do?
If nothing, what can we do as developers?

leandro.torres · November 27, 2023, 6:57pm

When resetting password, the session is killed as far as I know… maybe that’s the solution you are expecting

dan.woda · November 28, 2023, 2:01pm

Thanks @leandro.torres! Welcome to the Auth0 Community!

system · December 22, 2023, 5:55pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.