Currently we have situations where invalidating the existing SSO session(s) for a user could increase security:
- When the user changes their email address
- When a user adds MFA
- When a user changes their password
We would like to be able to do this via the management API or via a rule as there is no opportunity to redirect browsers to the logout endpoint client side. The redirect can also be stopped so the existing logout endpoint really is not an option from a security perspective.
I noticed other support tickets asking for a similar feature and would like to know if Auth0 has moved forward with this or plans to in the near future.