Hey all! I’m working on an SSO implementation for a client, and they’ve raised a concern with me that I haven’t been able to answer for them yet.
Setting the scene, let’s say we have an SSO setup with universal login, and an application using the authorization code flow. There’s also a connection to Azure Active Directory as our user store. We’ve got a user who has already authenticated, and received a refresh token. Some time after they’ve received their refresh token, the user is deleted in Azure Active Directory.
The question is, what happens the next time the user tries to use their refresh token to mint a new access token? Does Auth0 check that the user still exists in AAD?
Let’s instead say we’re using the implicit flow, and the user needs to redirect to the Auth0 Authorisation Server, and use their session there to get a new access token. What happens here? Is it the same answer as before?
Thanks in advance!
Also, if my search fu was weak, and the info was out there for the finding, please let me know where I missed it.