Currently we have situations where invalidating the existing SSO session(s) for a user could increase security:
These include:
When the user changes their email address
When a user adds MFA
When a user changes their password
We would like to be able to do this via the management API or via a rule as there is no opportunity to redirect browsers to the logout endpoint client side. The redirect can also be stopped so the existing logout endpoint really is not an option from a security perspective.
I noticed other support tickets asking for a similar feature and would like to know if Auth0 has moved forward with this or plans to in the near future.
Hi @drose,
a Session Management capability is definitely in consideration and on our product backlog due to its demand, but not yet available and no ETA to provide.
This is a heads-up that we’re hosting an Ask Me Anything (AMA) session dedicated to Auth0 sessions, refresh tokens, and the Management API. Our product experts will be on hand February 12, 2025, from 8 AM to 10 AM PST to answer all your questions—no matter how basic or advanced they may be! You can submit your queries anytime from now until February 11, and we’ll provide detailed written answers during the live event.
This is a fantastic opportunity to learn best practices around session management, refresh token rotation, and the Management API. Plus, everyone who participates gets points and a special badge just for joining in on the fun.
If you have any burning questions (or even casual curiosities!), feel free to drop them in this thread. We can’t wait to see what you’re working on and how we can help you optimize your Auth0 setup. See you there!
