I guess i need a Rule for invalidating/revoking refresh token when a user changes password.
I took a look at “Check last password reset” Rule, but not quite sure how to use that.
You can revoke the refresh token through the Management API v2, outlined here: Refresh Tokens
If using the Check Last Password Reset rule, you could do the following:
// If password was reset within the last day
if (daydiff(new Date(last_password_change), new Date()) < 1) {
// Revoke refresh token here
}
EDIT: Using Authentication API Webhooks Extension
This method will call a Webhook on a schedule (e.g. every 5 minutes), for every change password event that have occurred during that period. It will query the Management API v2 to obtain all refresh tokens for the user that changed password, and revoke all of them.
- Create a
Non-interactive clientin Auth0. This will be used to perform a client_credentials flow to obtain an access_token for the Management API. - In the
Auth0 Management APIin the API’s section, grant the Non-interactive client theread:device_credentialsanddelete:device_credentialsscopes. - Create a webhook (I have used Webtask) which will be called by the extension. The following code is a rough outline of how you would query and revoke the refresh tokens for the user:
gist:17b11223140255fa829654c4cc1bd673 · GitHub - Setup the Authentication API Webhooks extension for
Change Password Successevents, as a CRON job - I have set this to run every 5 minutes.
I have a webtask running, but it seems all login events are not being sent to the webtask.
Logins from an app that show up on the auth0 dashboard, don’t show up when logging to the console from a webtask and maybe vice-versa.
A sample event that is logged by the webtask:
{"date":"2017-04-07T05:50:26.103Z","type":"s","connection":"Username-Password-Authentication","connection_id":"<redacted>","client_id":"<redacted>","client_name":"<redacted>","ip":"<redacted>","user_agent":"<redacted>","details":{"timings":{"connection":81,"all_rules":18,"internal":24,"total":123},"stats":{"loginsCount":351}},"user_id":"<redacted>","user_name":"<redacted>","strategy":"auth0","strategy_type":"database","_id":"<redacted>","isMobile":false}
The webhook is setup as a CRON job, hence the login events won’t be sent instantly, but rather at the configured time intervals (e.g. 5 minutes).
Would this mean that every time a user logs in from different device’s (during that day) all refresh tokens will be invalidated. Do we have to track “refresh_token_invalidated” dates in some user meta-data.
What are the alternatives to using the Check Last Password Rule. Can we invalidate refresh tokens as part of the password change process.
See my update above for using the Authentication API Webhook extension.