Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

fabricecw's avatar

Auth session - single log out

We use Socialite to authenticate users via Microsoft. If a user is successfully authenticated, we establish a session :

try {
            $azureUser = Socialite::driver('microsoft')->user();
        } catch(\Exception $exception) {
            Log::warning('Microsoft authentication failed. Exception: ' . $exception->getMessage());

            return redirect(self::REDIRECT_AFTER_LOGIN);
        }

        $existingUser = User::where('microsoft_uid', $azureUser->id)->first();

        // If Azure user already exists.
        if($existingUser){
            Auth::login($existingUser);

            return redirect(self::REDIRECT_AFTER_LOGIN);
        }

        // If Azure user authenticates for the first time, we create a new user.
        $createUser = User::create([
            'name' => $azureUser->name,
            'email' => $azureUser->email,
            'microsoft_uid' => $azureUser->id,
            'password' => encrypt(Str::random(20)) // Users can not login with a password.
        ]);

        Auth::login($createUser);

        return redirect(self::REDIRECT_AFTER_LOGIN);

In the session setting, we configured a lifetime of 120 minutes and session expires when closing the browser.

But this doesn't feel right. Let's say a user wants to log out on all sessions with Microsoft, he should also be logged out immediately in the application.

There is OIDC Front-Channel Logout function in Microsoft's IDP which calls a webhook when the user loggs out somewhere. But I can't find a straight solution how to destroy all user sessions then.

Is there a good approach to ensure a Single-Log-Out with application sessions?

0 likes
2 replies
martinbean's avatar

@fabricecw Not really, because a session in your application isn’t intrinsically linked to an OAuth then issued by a third party. Just like logging out of your application wouldn’t automatically revoke a token on Microsoft’s servers. Microsoft gave you a token; it was then in your hands to do what you wanted with it.

If a user revokes their token, then that just stops requests being made with that token. It doesn’t end a session in your application. I don’t know what “OIDC Front-Channel Logout” is, but if Microsoft does offer a webhook to be notified of any expiring/revoked tokens, then your application will need to set up a listener for that. You can then look up the user associated with the token that was expired/revoked, and end their sessions that way.

Otherwise, you would only know if a token has been revoked/expired if you tried to make an API request with that token and got a 401 response.

fabricecw's avatar

Hi @martinbean

Thanks for your help. Since I can't find a lot about SLO in the Laravel world, I just wanna get options and thoughts about the importance of SLO. Would you recommend using OAuth tokens in place of sessions and validate them on every request made against the application? Or is the common way to establish a temporary session in the application?

I setup a listener to the OIDC Front-Channel Logout. It requires further application changes (DB sessions, tracking all sessions, ...). It's a way, but doesn't feel like "best practice".

Please or to participate in this conversation.