Auth0 has launched native support for Global Token Revocation and Okta’s Universal Logout functionality. This means that Auth0 applications now natively support the ability for federated Okta customers to automatically revoke all of the users sessions and tokens when Identity Threat Protection detects malicious or suspicious behaviour. Now, Auth0 powered applications can offer the same logout capabilities previously restricted to popular large SaaS applications like Google Workspace, Apple Business Manager, Microsoft Office 365, Salesforce, Slack, and Zoom.
What is Global Token Revocation?
Global Token Revocation is an extension to the established OpenID Connect back channel logout functionality by revoking refresh tokens as well as user sessions. When a request is received to log out a user it is validated and then
- All Auth0 sessions for the user are terminated,
- All Auth0 issued refresh tokens are revoked, and
- OpenID Connect Back-Channel Logout us triggered if configured.
The following diagram from the Auth0 documentation shows how this works.
What is the impact?
The impact on the application user depends on the application type and how it is integrated with Auth0. Applications typically leverage Auth0 sessions, their own sessions or refresh tokens.
- For browser based applications that leverage Auth0 sessions the user will lose access the next time the application polls the Auth0 session
- For applications that leverage refresh tokens the user will lose access when their current access token expires and they they try to use their refresh token to get a new one. This time can range from a few seconds up to the maximum access token lifetime
For applications that have implemented OIDC back-channel logout users are instantly logged out.
For more details refer to the release announcement and the documentation.
IAMSE