I have a Node.js API that works with Auth0 and gets access token for Frontend users via Resource Owner Password method (Connection: Username-Password-Authentication).
I want to make access_token invalid after user logouts on Frontend. Is there any way to do this?
I’ve tried to use GET /v2/logout with different parameters, but still can get user information using GET /userinfo for current access_token.
The resource owner password credentials grant is stateless from the perspective of the identity provider/authorization server (in this case your Auth0 domain). This means that there’s no authentication session established as part of the flow so the /v2/logout endpoint is not applicable to this particular case.
In the case of this grant the only thing you need to clean from your side is the actual token. In particular if your web application establishes an authentication session based on the outcome of the grant and stores the issued access token then performing a logout from your application will only imply you removing those stored tokens and terminating the session.
From your description of the issue I also get an impression that there is a clear distinction from back-end (API) and front-end so this grant might not even the most suitable for your scenario. However, in the cases where the grant is applicable the previous holds; there is no session to remove at the identity provider so you only need to clean your own. If you’re looking for revocation of access tokens then that is a somewhat different subject because it is applicable to all grants and may not be related with sessions at all; as an additional note, at this time there is no built-in support for revocation of access tokens.
Thank you @jmangelo ,
I felt that there is no revocation of access token for my case.
And I can say that for me was suitable any login with username and password, as I am not using ready Lock form. And I’ve found suitable only Resource Owner Password method.