I believe there is a route you can use to force sso accounts to be logged out in Discourse.
Yes there is a /admin/users/{user_id}/log_out URL to logout a user.
The problem is, cookie expiration happens in the browser, the server side code don’t know about it thus don’t know when to use above URL to log out a user.
The easiest way might be to track session validity in your SSO-providing application and issue this API call to log out users when appropriate. This also increases the security of your application: Without this, a stolen session cookie could be used forever!
2 Likes
Yes we are think about this also. If there is no session expiration function in Discourse or won’t be anytime soon, seems that will be our only choice.