Is there a way to attach actions to logout?
I’d like to save the last logout date as a JWT claim to allow invalidation of the JWT immediately (or soon thereafter) on logout. This is to address the security concern around session expiration.
This would be separate from the JWT expiration which would be set to the standard 30 min.
I got this idea from javascript - Invalidating JSON Web Tokens - Stack Overflow
A common approach for invalidating tokens when a user changes their password is to sign the token with a hash of their password. Thus if the password changes, any previous tokens automatically fail to verify. You can extend this to logout by including a last-logout-time in the user’s record and using a combination of the last-logout-time and password hash to sign the token. This requires a DB lookup each time you need to verify the token signature, but presumably you’re looking up the user anyway.
Basic flow that I’m thinking of:
Login:
- On login pull the last logout date/time from
event.user.user_metadatadictionary. - Add that claim to the JWT.
- In the application validate the last logout timestamp against what is in the JWT and reject it if they don’t match.
The login action can be done easily using Actions so I don’t have any questions about that.
Logout
- User hits the logout endpoint for Auth0
- Logout action (this is what I can’t find) would take the current time and save it on the user’s
user_metadata- to be used in the login. Would probably also post the value to the application to save in the db there.
The logout action piece is where I’m having trouble finding a solution so any suggestions are appreciated.
I could have the app manage it (the frontend logout code also hits an endpoint on the app server that would track the logout date/time and the login action above would query the app server for the user’s last logout when creating the JWT), but this means that any logouts that happen outside of the frontend code would not get set (i.e. if someone hit the auth0 logout endpoints directly).