Deleted user from Auth0 stays logged in the platform

[MayaAvaz]

User is logged into platform. As admin, deleted the account on Auth0. The user stayed logged in the platform and was able to create ticket, etc.

If this behaviour couldn't be avoided, how we can enforce: 1) logout in case of user termination 2) re-login in case of user changes (roles, passwords, etc)

[majorzazz]

@MayaAvaz login is done via the a token that is requested from Auth0. This token has an expiry time that defaults at 10 hours (https://auth0.com/docs/tokens/id-token) and we can lower it to fit the use case via the dashboard.

Another method if the expiration method is not sufficient would be to create a revocation list at the API level, and create a new admin route that allows adding and deleting revoked tokens; this would be a bit more effort to implement and would require the Admin to keep track of the token list.

[MayaAvaz]

@majorzazz Thanks for info. Changed the expiry time of the token to half an hour for now. I marked this issue as enhancement for next release. We can discuss the details later.

[MayaAvaz]

We changed back the expiry time of the token to default 10 hours because of other unwanted behaviour seen when the token is short-lived.