The login process has a couple of areas that you have to take into account when planning your session management:
- the Auth0 session state (used for SSO), there is a cookie issued by Auth0 to keep track of a logged in user for a particular device & browser
- the tokens your client receives from Auth0, these are usually JWTs and have differing expiries
I will assume that you have a simple Single Page App using Universal Login for the purposes of my explanation (there are many possible variations).
During the login to your app, the user will be redirected to the Auth0 Universal Login where they will login using a provided method (e.g. username/password, Google, Microsoft, etc).
Once they complete login Auth0 will create a cookie for SSO purposes on their domain and will redirect the user back to your app with an
id_token which are JWTs.
These tokens specifically have an expiry but they are not tracked and cannot be revoked which is why you are advised to keep the expiry for these tokens low. You as the developer are responsible for how you manage and store these tokens with the recommendation being to store them using the
localStorage API (or
sessionStorage API depending on your needs).
If you choose to store the tokens in the
localStorage then a user’s session in your app will continue to persist until the JWTs expire (even if the open and close their browser multiple times) or until you wipe the JWTs.
The user will also have a session persisted in Auth0 so if you redirect them to Auth0 and they still have a valid SSO cookie then Auth0 will redirect them back to you straight away with new JWTs.
In order to fully logout a user you must clear the JWTs and redirect the user to the Auth0 logout endpoint (as mentioned by @markd). Calling the logout endpoint will not logout the user from the upstream identity provider (unless you provide the
federated parameter which is optional).
Hopefully this helps clarify the process a bit!