I have a web application (NextJS) setup to use Auth0 authentication, with a database provider. I recently tried to unlink the devices of my user, but it didn’t do anything : I could still use the application normally, even after doing a hard refresh. I tried the whole process again without refresh token rotation, to see if those refresh tokens were the cause, and I didn’t see any change.
It’s really hard to understand how this works : when we unlink a user’s device from the Auth0 dashboard, what is supposed to happen ? Is there a way to force a user to be logged out immediatly ? Thanks
Welcome to the community. I don’t think there’s a clean way to force a logout at this time. Once a user is authenticated and they have an ID token they are “logged in” until the token expires. You need token invalidation and token introspection, both of which are on the roadmap I believe, but they aren’t available at this time.
You could maybe do it by invalidating the Auth0 session and then having your app call home to Auth0 to see if the session is still valid. I’m not sure if that would work from a coding perspective.