I develop web services which uses Auth0 as an SSO authentication provider.
I found an issue about sign-out detection with multi sites.
Could someone give me good solution for the issue, please?
There’re some web sites which are called “site A” and “site B” using CMS/CMFs.
As SSO the user is already signed-in via Auth0.
The user signs-out on site A.
Unfortunately, site B still keeps sign-in state for the user.
My expectation is all sites have sign-out detection feature, and in “4.”, site b detects sign-out for the user.
What the best way is that? Do someone have good ideas?
In my current thinking, one of the solution is that I may use calling userinfo API by the user access. (with interval a few seconds, just in case of DDoS)
As far as I know there is no easy way to do this in Auth0 right now.
When your user logs out of “A”, even if you terminate the Auth0 SSO session, any issued security tokens (ID tokens and access tokens) will be considered valid until they expire.
The solution to this is token introspection (and a lot of chatter between your apps and your IAM service) but Auth0 does not offer token introspection at this time. If you’d like to see token introspection in Auth0, please leave feedback here: Auth0: Secure access for everyone. But not just anyone.
I believe the only way to do this today is to have “A” communicate with “B” (and vice versa) to tell “B” that the user logged out and “B” should ignore the user’s security tokens and require the user to re-authenticate.
Just to note that if we restrict this to applications using the Auth0 tenant as a SAML identity provider then this is technically supported (see Log Users Out of SAML Identity Providers). For applications using OpenID Connect protocol, besides adopting an approach of polling for a session (which I would not recommend in general) there is currently no support for immediate notification of other session participants (applications).