we are setting up Auth0 in order to allow SSO for different organisations (multi tenant).
One requirement from our customers, is that upon log out from their identity providers, users should also have their access revoked from our app.
Unfortunately, we haven’t been able to find any documentation on this.
Do we need to set up hooks or something alike?
This is the flow we’d expect:
Upon login, we redirect user with the loginWithRedirect method
User allows the app to access tenant data
User is redirected and logged in.
User logs out via Azure, or Google
User should not be able to access the app
Whenever we call getTokenSilently, checkSession, isAuthenticated and so, the token still works. This seems reasonable as the token is still (cached and) valid.
Whenever we retrieve the user profile through the backend from auth0, the data is returned (which indicates that auth0 will not invalidate the token either).
Note that using a short TTL for the token is not an option. Should a user logout from the identity provider, it should then log them out also from auth0, thus from our app.
What you need is a short lived access token plus a 0 length session in Auth0.
Access tokens are self-contained, you cannot revoke them, so you should have a short-lived access token no matter what. When it expires, you will need to get a new one, then the Auth0 session has also expired, and the user will be redirected back to the federated IDP. If the federated IDP session still exists, they will be logged in and get a new token. If the session does not exist, they’ll be asked for credentials.
As we see, your suggestion leads to having the user redirected every time the Auth0 session expires.
From an UX point of view, that’s unfortunately not an option.
Would it be possible to silently renew the session on Auth0 without having the user redirected?
On the other hand, we have indeed managed to log out users on Auth0 whenever they log out from Azure, by setting the Front-channel logout URL on their end. Generally though, we want to know if there’s a way of revoking a session on Auth0 whenever the session in the Identity Provider is terminated (which happens either by revoking the session or de-provisioning the user).
What did you set your Front-channel logout URL as, to make it work? I have tried using the /v2/logout endpoint but whenever I log out, it still remembers my credentials to auth0 on next login so that it logs in with the same user as I logged out from.