Universal Logout

Auth0 supports Universal Logout integrations with Okta Workforce Identity Cloud (WIC) to log users out of applications when an administrative or security event occurs.

Universal Logout is based on the Global Token Revocation specification which goes beyond the established OpenID Connect (OIDC) back-channel logout standards by revoking refresh tokens in addition to user sessions. This comprehensive logout solution spans traditional web applications, browser-based JavaScript applications such as Single-Page Applications (SPAs), and native applications that use a mix of application sessions, identity provider sessions, and refresh tokens to keep the user authenticated.

If you use the Okta, SAML, or OpenID Connect connection types to federate with Workforce Identity Cloud no longer need to build a global token revocation endpoint to work with Okta Universal Logout. You can instead provide the Auth0’s connection-specific endpoint URL to the Okta Workforce administrator, and leverage Auth0’s OpenID Connect Back-Channel Logout to terminate application sessions if necessary.

Auth0 receives a request to log out a user and validates the request using the same key set used to validate ID tokens and access tokens issued from Okta WIC. It then terminates all Auth0 sessions for the user, revokes Auth0-issued refresh tokens, and, if configured, triggers OpenID Connect Back-Channel Logout to revoke application sessions.

The time it takes for an application user to lose access depends on the application's type and how it is integrated with Auth0. Auth0 supports a wide range of application architectures via support for the OIDC and OAuth 2.0 identity standards and Auth0's Quickstarts and SDKs. This includes:

• Traditional Web applications that create their own application sessions may use refresh tokens and access tokens to access APIs through a secure backend.

• Browser-based JavaScript applications that leverage the Auth0 session layer or use techniques like refresh token rotation to get access tokens needed to access APIs within a Web browser.

• Native or Mobile applications that don’t run in a Web browser and use refresh tokens and access tokens as the primary method of keeping users signed in.

Applications get an immediate security benefit using refresh tokens or leveraging Auth0 sessions when the Universal Logout integration is enabled. Refresh tokens and Auth0 sessions are both instantly revoked when Auth0 receives a Universal Logout request.

• For browser-based apps that leverage the Auth0 session, the user loses access the next time the application polls the Auth0 session.

• For apps that use refresh tokens, the user loses access as soon as their current access token expires, which can range from a few seconds up to the maximum access token lifetime configured in Auth0.

Web applications that create their own sessions should use Auth0’s existing OpenID Connect back-channel logout feature to terminate them when Universal Logout terminates the Auth0 user session. This provides instant user logout for all web applications that use it. To learn more, see the Auth0 SDKs and Implementation Examples.