As a Registered user logged-in on multiple devices
I want a method to log out all devices with the possible exception of the active device I am using
so that I can control access to the service. How does one configure Auth0 to support this use case? Thanks!
There’s currently no approach to do that through Auth0 service, because there’s no session management API that would give you the ability to see what other devices have sessions active and then ask for those session to be invalidated.
You should submit this feedback through auth0.com/feedback so that our product team is aware about the feature request and also to help gauge the demand on such feature.
thanks @jmangelo. I’m curious as to how this forum site does it then. When I log out of community.auth0.com, if i have an active session on a different device, it’ll automatically log me out from that device too. I guess this is an application specific implementation? Thanks.
I confess I don’t know the details and I also only access this site in a single device, but like you said it’s technically possible to implement that at the application level. It’s just that if the application uses an upstream identity provider then just clearing the local session may not be enough.
My previous answer also focused on the inability to invalidate the authenticated user-agent session (based on cookies) that is generated as part of a login. Another point is that a client application can give the illusion that there’s no session at the identity provider when one actually exists. For example, if an application always includes
prompt=login in an OIDC request that although a session exists the Auth0 service would not use that session (this can lead someone to think a previous session was ended while in fact it was not).
Hi, in the users dashboard, there is a “Devices” tab. Does that relate to the OP’s question? Couldn’t find information on this “Devices” feature too. Any idea what this feature does? Thanks.
That tab lists refresh tokens issued and does so by associating a device name (IIRC, it may use the user-agent header for that name). However, an application that does not make use of refresh tokens would never be listed there, but technically that application can also have the user logged in and there would be no record for it on that tab.