0

If user is logged into different browser and resets password in one browser then user needs to logout in all browsers, but it is not happening currently as i am checking the expiration time of token that is cached locally. Is there anyway i can track password change event in my application?

public isAuthenticated(): boolean{
    // Check whether the current time is past the
    let expiresAt;
    if (this.envGlobals.env.authResult) {
        expiresAt = JSON.parse(this.envGlobals.env.authResult).expiresAt;
    }
    return new Date().getTime() < Number(expiresAt);
}
Narasing Kokane
  • 15
  • 7

2 Answers2

0

I work with the Auth0 Community team and I was taking a look at your question. It seems like you aren't fully clearing the session after logout. I have linked some documentation below on this front. We also have a number of quickstarts that reside on the same page and depending on your stack you can verify your logout method.

https://auth0.com/docs/logout

  1. Application Session Layer: The first layer is the session inside your application. Though your application uses Auth0 to authenticate users, you'll still need to track that the user has logged in to your application. In a regular web application, you achieve this by storing information inside a cookie. Log users out of your applications by clearing their session. You should handle the application session in your application.
  2. Auth0 Session Layer: Auth0 also maintains a session for the user and stores their information inside a cookie. The next time a user is redirected to the Auth0 Lock screen, the user's information will be remembered. Log users out of Auth0 by clearing the Single Sign-on (SSO) cookie.
  3. Identity Provider Session Layer: The last session layer is the identity provider layer (for example, Facebook or Google). When users attempt to sign in with any of these providers and they are already signed into the provider, they will not be prompted again to sign in. The users may be asked to give permission to share their information with Auth0 and, in turn, your application. It is not necessary to log the users out of this session layer, but you can force the logout. (For more information, see Log Users Out of Identity Providers and Log Users Out of SAML Identity Providers.)
Dharman
  • 30,962
  • 25
  • 85
  • 135
Coding Morrison
  • 431
  • 2
  • 4
  • Hi Morrison, thank you for information. I have scenario where user is logged in to different browser and if user does reset password in one of browser. User will be logged out immediately after refresh this is fine as we get new token, but if he does any API call that would retrieve the data, there is a refresh time of 60sec after that time user will be logged out as it will fetch refreshtoken. There is no check for that 60 sec, so Is there any angular event for successful password reset so that i can do something that would make expireAt time to 0 at code level shown above. – Narasing Kokane Jan 14 '20 at 07:42
0

This is true that Auth0 does not sync the session between Authorizatio Server and Client application. As you are storing token locally, there is no way to know for Auth0 if the user is logged in the application or not. This is mostly application responsibility. One possible approach would be to keep the session lifetime short and use silent authentication mechanism to renew the token. When user reset password, the session in the authorizaiton server is invalidated. During the silent authentication, auth0 will return login_required error to prompt the user to login. In this approach, the user might not be logged out immediately as the silent authentication is triggered when token expires in the application.

Second workaround would be to use Auth0 password change hook. Password change hook can be used to execute custom code. Perhaps, you can notify your application on password change and performs automatic logout by redirecting the user to /v2/logout endpoint from the application.

https://auth0.com/docs/hooks/guides/post-change-password

Tanver Hasan
  • 1,687
  • 13
  • 12