Revoke all Auth0 sessions except the current one for some users

I have been reading for days, and tried to use help of AIs but to no avail.

So my requirement is like this: For some users, I want to revoke all loggings except current one. Lets say user changes password, I want to invalidate all sessions except current one.

My current workflow goes like this. It is legacy app so I am not original maker.
User goes to my page, my app checks ASP .NET session and if it has expired it redirects user to Auth0, if user has never been logged in it prompts Username and Password, if user has been logged in it just forwards to my page where I get AccessToken to get some details I need (nickname), and that is it I generate new ASP.NET Session.

So now I want to invalidate all Auth0 sessions, except last one, so user has to Login again, but only in some use cases, so not all cases. If I invalidate ASP.Net session it just gets new one as Auth0 one is still valid. I cannot redirect that user on other devices that he is logged in to invalidate SSO cookie.

I do not use any identity provider except username and password.
Devices tab for each user is empty - so device_credentials approach is not valid
ChatGPT4 suggests /users/userid/sessions endpoint, but it seems he is hallucinating that endpoint.

I do get something using api/v2/grants, but there is no info what is the current and what are others and I do not think that would be right approach.

Is there any way to handle this that I am missing out?

Hi @filip.vuletic,

We don’t currently support an out of the box solution for this type of session management (probably why the AI answers are not getting anywhere).

In the case of password changes, the sessions should be revoked automatically. Can you take a look at this thread and see if you are seeing similar behavior?

Unfortunately my use case is not just reset password I made that example as it is simplest to explain.

I have also tiers, and one of the tiers is One Login per One User. I do not care about application session as it has short lifespan so it will end rather soon I just want for user to be prompted to login, and on login logout all other machines. Not for all cases, just for some users.

I can handle that as additional session management from my application but that brings unnecessary complications, but if that is the only option…

So you can confirm there is no Authentication API or Management API endpoint or Rule/Action that will invalidate all Auth0 sessions except the one currently used for single user?

1 Like

I can confirm that is the case.

1 Like

Ok then, that is fine as if we used refresh token as it was supposed to be used, we would have required functionality with revoke refresh token :slight_smile:

Thank you very much on your help once again Dan!

1 Like

No problem! Please let us know if you have any other questions.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.