Hey all! I’m working on an SSO implementation for a client, and they’ve raised a concern with me that I haven’t been able to answer for them yet.
Setting the scene, let’s say we have an SSO setup with universal login, and an application using the authorization code flow. There’s also a connection to Azure Active Directory as our user store. We’ve got a user who has already authenticated, and received a refresh token. Some time after they’ve received their refresh token, the user is deleted in Azure Active Directory.
The question is, what happens the next time the user tries to use their refresh token to mint a new access token? Does Auth0 check that the user still exists in AAD?
Let’s instead say we’re using the implicit flow, and the user needs to redirect to the Auth0 Authorisation Server, and use their session there to get a new access token. What happens here? Is it the same answer as before?
Thanks in advance!
Also, if my search fu was weak, and the info was out there for the finding, please let me know where I missed it.
As far as I’m aware, at this time, there’s no built-in support to handle deprovisioning of users in upstream identity providers in an automatic way. As you mentioned, depending on the flow and/or tenant configuration once a user authenticates with an upstream identity provider certain artefacts (refresh tokens, cookie based sessions) will be created within the context of the Auth0 tenant and these artefacts have an independent lifetime.
For example, a refresh token issued by Auth0 will remain usable within the context of Auth0 independently of the state of the user in an upstream identity provider.
What’s possible at this time will vary depending on scenario and upstream identity provider. For example, if the upstream identity provider can configured in a web hooks kind of way that causes an endpoint under your control to be called once a user is deprovisioned then you could use that event to cleanup within the Auth0 tenant by using the Management API.
Alternatively, it may also be possible to have a custom rule that upon a flow going through Auth0 performs an additional call to the upstream identity provider in order to check if the user still exists. This can be done for example for a refresh token exchange which would normally return refreshed tokens without checking anything on the upstream identity provider, but implies the identity provider has an endpoint that allows to check user existence and also carries some network overhead.