IdP access_token at client?

I am using react-native-auth0 and auth0.webAuth.authorize() to access the hosted login pages for both social (Google, Facebook) and passwordless. Login works great. Calling the logout endpoint from the same embedded browser as authorize() does not logout the user from the identity provider, i.e. the next time around when user tried to login, they are not prompted for an username/password. I have managed to solve the issue for Google by calling the google logout url https://accounts.google.com/Logout from the embedded browser.

Facebook is a bit more complicated. To logout of the Facebook IdP the client needs access to the IdP access_token. As documented in Logout the URL to call is https://pandd.auth0.com/v2/logou...om&access_token=[facebook access_token]. However on the Call an Identity Provider API page auth0 advices against passing the IdP access token to the client

Security Warning! Make sure that you don’t expose the IdP access token to your client-side application.

So, should we or should we not use the Facebook IdP access_token at the client to logout?

The warning is a general recommendation for external IdP access tokens; one of the reasons for such a general warning is that the access tokens obtained from the external IdP were issued through server-side flows (that can leverage client authentication) and if you then expose the access token to a client-side component there’s a mismatch in security characteristics between the component to which it was issued versus the component that is now using it. For example, the IdP might have issued a long-lived access token with the assumption that it was only going to be used from server-side components and you would be breaking that expectation.

Having said that, there will be some situations when the general rule may not apply or be a gray area. This seems to be one of such situations because according to Facebook documentation (I’m using the JS SDK docs, but I assume calling the logout endpoint directly has the same characteristics):

Calling FB.logout will also invalidate the access token that you have for the user, unless you have extended the access token.

The above means that in specific situations the access token that you use for logout will be invalidated; if that’s the case then if you expose an access token to a client-side component, but then the access token is going to be invalidated as a consequence of that exposure then the actual exposure is not a big concern. As a disclaimer, I’m not saying that it would be correct to expose it under all situations or even as part of logout for all IdP, I’m just trying to call the attention that in very specific circumstances for the Facebook case it may not present a serious issue.

@jmangelo thanks for the clarification and the reference to the Facebook documentation. Since the token will be invalidated, at least by the Facebook IdP, I feel comfortable using it in my case. Thanks again.

@jmangelo thanks for the clarification and the reference to the Facebook documentation. Since the token will be invalidated, at least by the Facebook IdP, I feel comfortable using it in my case. Thanks again.

@jaiwant.mulik Could you sign out from FB? I’m retrieve FB access_token and then use

https://*.auth0.com/v2/logout?federated&client_id=[client_id]&returnTo=[return_url]&access_token=[at]

It returns with 302 to

https://facebook.com/logout.php?next=[return_url]&access_token=[at]

This redirects to

https://m.facebook.com/logout.php?next=[return_url]&access_token=[at]

It doesn’t clear any cookies and redirects to https://m.facebook.com/home.php?_rdr.
Using Log into Facebook, it says token is valid and has email and public_profile scopes.

@jaiwant.mulik Could you sign out from FB? I’m retrieve FB access_token and then use

https://*.auth0.com/v2/logout?federated&client_id=[client_id]&returnTo=[return_url]&access_token=[at]

It returns with 302 to

https://facebook.com/logout.php?next=[return_url]&access_token=[at]

This redirects to

https://m.facebook.com/logout.php?next=[return_url]&access_token=[at]

It doesn’t clear any cookies and redirects to https://m.facebook.com/home.php?_rdr.
Using Log into Facebook, it says token is valid and has email and public_profile scopes.