Forced logout after password reset WSO2 IS

Question

Is there any way to invalidate user sessions after successful password reset? Currently I'm trying to figure out some way to do it with our setup (IS 5.8.0). We want to achieve situation where i.e user is logged in on PC and on mobile or other PC, he resets his passwords then after that, he should be logged out of all PC and mobile devices.

Answer 1

IS revokes the sessions and accesstokens with the password update event.

Since your requirement is to force logout the users from your application side,

Option1:

since the accesstokens are revoked in the identity server-side, you can periodically check whether accesstoken is active and if it is not active, you can force logout the users from application side.

Option2:

Since the IS triggers session termination event when revoking the active sessions, you can write some custom event handler to listen to session termination event and write the logic to send some custom notifications to your applications.

For IS5.8.0, you can use either one of the above option.

From 5.12.0-m5 onwards, when the session termination gets triggered internally (Eg: password update, session termination by rest api, Note: IS already supports OIDC back-Chanel logout if session termination is triggered by user logout mechanism), IS will send OIDC back-channel logout notification to the OIDC applications if the applications have enabled it.