we are setting up Auth0 in order to allow SSO for different organisations (multi tenant).
One requirement from our customers, is that upon log out from their identity providers, users should also have their access revoked from our app.
Unfortunately, we haven’t been able to find any documentation on this.
Do we need to set up hooks or something alike?
This is the flow we’d expect:
- Upon login, we redirect user with the
- User allows the app to access tenant data
- User is redirected and logged in.
- User logs out via Azure, or Google
- User should not be able to access the app
Whenever we call
isAuthenticated and so, the token still works. This seems reasonable as the token is still (cached and) valid.
Whenever we retrieve the user profile through the backend from auth0, the data is returned (which indicates that auth0 will not invalidate the token either).
Note that using a short TTL for the token is not an option. Should a user logout from the identity provider, it should then log them out also from auth0, thus from our app.
I’d appreciate any advice on this.
Thanks a lot,