Started to investigate the back-channel logout functionality: OIDC Back-Channel Logout
A few questions.
Is it possible to make the back-channel logout otional? I.e. normally users would logout only from the application they are using. In case they wish they can do a global logout and kill all sessions in all apps?
Which leads to next question and the sid in the logout token. Would that sid be the same only in the same browser where the auth0 session is? Can you implement a “global” logout which would kill the sessions across all devices? E.g. user request a “hard” logout in desktop browser and it should send the back channel logout also to a backend of a mobile app (which he has logged in a mobile device and the auth0 sid is different I guess?).