Currently we have situations where invalidating the existing SSO session(s) for a user could increase security:
These include:
When the user changes their email address
When a user adds MFA
When a user changes their password
We would like to be able to do this via the management API or via a rule as there is no opportunity to redirect browsers to the logout endpoint client side. The redirect can also be stopped so the existing logout endpoint really is not an option from a security perspective.
I noticed other support tickets asking for a similar feature and would like to know if Auth0 has moved forward with this or plans to in the near future.
Hi @drose,
a Session Management capability is definitely in consideration and on our product backlog due to its demand, but not yet available and no ETA to provide.
I’m excited to inform you about our next Ask Me Anything session in the Forum on Tuesday, July 30, with the Product Management team. If you have questions about upcoming features like FGA, Manage Sessions in Actions, or SCIM. Submit your questions now, and our esteemed product experts will provide written answers on July 30. Can’t wait to see you there! Learn more here!