In an Enterprise Connection setup (e.g., SAML or LDAP), are changes like role revocation or user deletion at the IdP reflected in the access token during refresh token flows, or only after a full re-authentication?"
In other words, if our enterprise customer wants to ensure that revoking a user’s roles or logging them out affects access to our application, this should take effect at least when the access token is renewed
Hi @ggulyas, and welcome to the Auth0 Community!
Changes made at the Identity Provider (IdP), such as role revocation or user deletion, are not automatically detected during a standard refresh token flow.
The refresh token exchange is a non-interactive process that relies on the user data stored within the existing Auth0 session. It does not re-contact the external IdP to check for updates. The new access token will be issued with the same roles and permissions the user had when they last authenticated.
The most effective way to enforce these changes is to have your customer’s system (the IdP environment) trigger an API call to Auth0 whenever a user’s status or roles are modified.
By calling the Auth0 Management API to revoke the user’s sessions, you invalidate their refresh tokens.
- Endpoint: DELETE /v2/users/{user_id}/sessions
When this endpoint is called for a specific user, all of their active sessions and associated refresh tokens are immediately terminated. The next time your application attempts to use its refresh token, the request will fail. Your application should be configured to handle this failure by prompting the user for a full re-authentication, which will then pull the updated profile from the IdP.
I hope this helps you!
Sincerely,
Teodor.
Hey Teodor,
Do you know what the design reasoning was behind this? Initially, I assumed that when an access token expires and a new one is requested via the refresh token mechanism, Auth0 would replicate the same behavior as with a database connection — meaning that if a role is revoked in the external IdP, the new access token would reflect that change.
Is there any other options than calling the delete sessions endpoint? That would mean we need to expose that endpoint to the customer, and they would also do work on their end (which is actually the more problematic part)
One more thing, one section of the documentation mentions that Native Azure AD and SAML connections support Federated logout support (“Single Logout” or SLO). Isn’t it something that could help? I imagine that the customer’s admins can force log off users, and if I understand well, the SLO would terminate the Auth0 session as well and request a re-authentication. Is that correct?
This could be a good middle-ground, as it gives a customer an option to force the changes.
Hi again @ggulyas!
I’m sorry, but I don’t know the reason why the changes are not reflected in the access token as you described. I could only guess that performance could be a cause.
As for the SLO feature, I’m not familiar with it myself, but reading the documentation, it looks like it might solve your use case nicely. Please give it a try and let me know if it worked out for you.
Thanks,
Teodor.