Social login session persists after blocking unregistered users — silent re-auth loop

We are blocking unregistered social login users (Google/Apple) in a Post-Login Action. When a user who is not registered in our system authenticates via a social provider, we block them and redirect them to an informational screen.

Problem:

Despite blocking the user in the Post-Login Action, the social provider SSO session remains active. This causes the application’s silent authentication to immediately re-trigger, re-authenticate via the social provider, and hit the Post-Login Action again — creating a continuous loop.

We have tried:

  • Deleting the Auth0 user — the social provider re-creates it on the next silent auth
  • Deleting Auth0 sessions via DELETE /api/v2/users/{id}/sessions — the session is re-created immediately
  • Unlinking the social identity via DELETE /api/v2/users/{id}/identities/{provider}/{user_id} — reduces the loop but does not fully stop it as a new identity is created on the next attempt

Question:

What is the recommended approach to fully invalidate a social provider session from within a Post-Login Action so that silent re-authentication cannot occur after a user is blocked?