I’m working on a flow where users should be logged out from all devices/sessions once they reset their password. I want to ensure that after a password reset, all existing sessions are invalidated across all devices and browsers.
Is there a recommended way to implement this using Auth0?
I’ve looked into options like rotating refresh tokens and revoking sessions, but I’m not sure of the best approach or if there’s built-in support for this use case.
Additionally, I’ve experimented with the Post Change Password Trigger, but I’m unclear on the precise implementation details and how to effectively invalidate tokens on other devices using this approach.
Any guidance or examples would be greatly appreciated!
Thank you for posting your question. First of all it’s worth to mention that resetting a user’s password makes their session expire on the Auth0 server side, but note that there are different session layers (please see Sessions)
and invalidating the Auth0 session layer does not mean invalidation of the Application session layer. The application would need to clear the local application session; a different browser would have its own local session via cookies, for example.
There’s no best answer to the question of what is the best approach, as it will depend. Here’s a link to the Solution from Knowledge Solution that should clear what the options are with Auth0 right now → User is Not Logged Out after Password Reset
It’s not mentioned in the post, so please keep in mind that the Access Tokens and ID Tokens cannot be revoked, as this is by design. Depending on the use case, you can lower the lifetime for the Access Tokens or ID Tokens and use refresh tokens.