Invalidate application sessions

I have 2 applications, react+node and a hubspot application

i have used auth0 for sso for both the apps and registered the applications in a same tenant.

the react+node setup uses express-openid-connect in the node app for authentication

now when a user logs out from any of the application (hubspot or react), i want to invalidate the other application’s session and the underliying auth0 session as well

I was able to invalidate underlying auth0 session in express app, but still it doesnt invalidate hubspot session

and in hubspot’s case, it doesnt clear underlying auth0 session as well as react session

Please respond to this ASAP

1 Like

Hi @rkreddy2699,

To invalidate the Auth0 Session Layer, your user needs to hit the /logout endpoint. Can you confirm that the log out is hitting that endpoint successfully?

Additionally, the application session needs to be invalidated (by deleting or expiring tokens). This is a bit more complex, because there is no Single Logout Feature for auth0 database connections (yet).

This doc may help:

Hi @dan.woda,

So are you saying that if I have to clear out sessions of a single user for multiple applications at multiple places, i cant do that?

You can revoke the user’s session, but you can’t revoke an existing access or ID token. We recommend short lifetimes for these as a result.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.