The customer requires that when the user logs out of their identity provider portal, the user needs to be logged out of our application and Auth0. By using front-channel logout, we’re able to log the user out of our app using the
sid (session id) provided in the front channel GET request from the identity provider.
We’ve understood there’s no way to terminate the Auth0 session through front-channel logout as the user logging out has to be redirect to the
v2/logout endpoint, which is not possible when they’re initiating log-out at their identity provider instead of our app.
Following the suggestions given here: Identity Provider logout we’ve set our
access_token lifetime to 120 seconds, and wanting to set our Auth0 session lifetime to 0 as suggested, but the UI only allows us the minimum of 1 minute, which allows the next user using the same device to log in as the previous user (within 1 minute of the previous user logging out of their identity provider).
Is there a way to log a user out of Auth0 which does not involve redirection them to
v2/logout as this is not feasible using front-channel logout, or is there a way to set the Auth0 session lifetime to 0?
All help appreciated.