Our Discourse board is set up to use SSO with our application’s authentication, with registration disabled on the Discourse end. A user reported they reset their password on one machine. Used a different machine where they saw their session invalidated with our application (correct behavior), but their session with the Discourse board is still active (not ideal).
Is this the expected behavior given the scenario?
My first instinct is to do an SSO sign out payload to our Discourse board when the user updates their password on our application’s authentication. Just want to make sure if this is the path we need to take before I assign time onto this task.