Users are still Able To Log in Even After Disabling Database and Passwordless Connections

Problem Statement:

We see some successful login events even after disabling the connections for applications we have. How to prevent login events?


If the session is valid, disabling the connection for an application isn’t sufficient.


  1. On the tenant advance settings, you need to set the tenant level SSO timeout values to a short period, like one minute, to disable the valid user sessions.
  1. If you use refresh tokens, you can add a rule to force Refresh Token flow to fail.
if (context.protocol === 'oauth2-refresh-token') {
  return callback(new UnauthorizedError('Access denied.'));