Users are still Able To Log in Even After Disabling Database and Passwordless Connections

Problem Statement:

We see some successful login events even after disabling the connections for applications we have. How to prevent login events?

Cause:

If the session is valid, disabling the connection for an application isn’t sufficient.

Solution:

  1. On the tenant advance settings, you need to set the tenant level SSO timeout values to a short period, like one minute, to disable the valid user sessions.
  1. If you use refresh tokens, you can add a rule to force Refresh Token flow to fail.
if (context.protocol === 'oauth2-refresh-token') {
  return callback(new UnauthorizedError('Access denied.'));
}