I believe there is a route you can use to force sso accounts to be logged out in Discourse.
Yes there is a /admin/users/{user_id}/log_out URL to logout a user.
The problem is, cookie expiration happens in the browser, the server side code don’t know about it thus don’t know when to use above URL to log out a user.
The easiest way might be to track session validity in your SSO-providing application and issue this API call to log out users when appropriate. This also increases the security of your application: Without this, a stolen session cookie could be used forever!
إعجابَين (2)
Yes we are think about this also. If there is no session expiration function in Discourse or won’t be anytime soon, seems that will be our only choice.