Ability to revoke access token at logout

Feature: Ability to revoke access token at logout

Description: During a PEN test on our SPA which is written in angularjs it was highlighted that after a user logs out the access token is still valid and usable. For this purpose we would like to be able to revoke the access token at logout.

Use-case: Our SPA needs to be ISO 27001 compliant so we have to address this open point. Ideally we would need it both in angularjs and in angular 2 . Our use case prevents us from using short lived tokens as each section of the website is a separate website that shares the tokens.

Thanks for the detailed feature request!

You are again mixing Authorization (OAuth 2.0 access token refresh token) with authentication(open id connect, logging in a user).

Using OAuth 2.0 an application is granted authorization to access a users data they are granted an access token and a refresh token. The application can access the users data when ever it needs to without the user being present.

Thank you Martin for your feedback, fully understand what you mean. In our case we were able to send api requests using the access token after the user has logged out. This is why it got flagged as a breach during the PEN tests.

Regards,
Daniel

3 Likes

Previous message deleted due to SPAM reasons

Hello Support,

I have a followup question about this: if we reduce the time for the tokens to 5 minutes or lower we will have to call the auth0 api more often to update them, to this we would like to know if do you see any problems with this approach.

Regards,
Daniel

@daniel.daraban

Many of our customers use this approach. As long as you aren’t running into the https://auth0.com/docs/support/policies/rate-limit-policy/authentication-api-endpoint-rate-limits (they are very generous) it should be okay.

1 Like