Add last logout date/time to JWT claims

Is there a way to attach actions to logout?

I’d like to save the last logout date as a JWT claim to allow invalidation of the JWT immediately (or soon thereafter) on logout. This is to address the security concern around session expiration.

This would be separate from the JWT expiration which would be set to the standard 30 min.

I got this idea from javascript - Invalidating JSON Web Tokens - Stack Overflow

A common approach for invalidating tokens when a user changes their password is to sign the token with a hash of their password. Thus if the password changes, any previous tokens automatically fail to verify. You can extend this to logout by including a last-logout-time in the user’s record and using a combination of the last-logout-time and password hash to sign the token. This requires a DB lookup each time you need to verify the token signature, but presumably you’re looking up the user anyway.

Basic flow that I’m thinking of:

Login:

  1. On login pull the last logout date/time from event.user.user_metadata dictionary.
  2. Add that claim to the JWT.
  3. In the application validate the last logout timestamp against what is in the JWT and reject it if they don’t match.

The login action can be done easily using Actions so I don’t have any questions about that.

Logout

  1. User hits the logout endpoint for Auth0
  2. Logout action (this is what I can’t find) would take the current time and save it on the user’s user_metadata - to be used in the login. Would probably also post the value to the application to save in the db there.

The logout action piece is where I’m having trouble finding a solution so any suggestions are appreciated.

I could have the app manage it (the frontend logout code also hits an endpoint on the app server that would track the logout date/time and the login action above would query the app server for the user’s last logout when creating the JWT), but this means that any logouts that happen outside of the frontend code would not get set (i.e. if someone hit the auth0 logout endpoints directly).

Hi @josh.young,

Welcome to the Auth0 Community!

Unfortunately, we currently do not support a Post-Logout Action and there isn’t a last_logout user profile attribute. With that said, I believe this would be a great candidate for a feedback request. If you have a moment, I recommend creating a feedback request asking to support a Post Logout Action.

Now, it may be possible to leverage your Auth0 Logs to find the slo Log Event to determine if the access token is valid when compared to the logout time. However, there isn’t an easy way to accomplish this without some heavy lifting on your end.

With that said, my best recommendation is to make the access token expiration as short-lived as possible.

Please check out this related Community Post regarding invalidating access tokens when a user logs out.

Let me know if I can help you with anything else.

Thanks,
Rueben

Thank you for the response. I’ve created a feedback request here.

1 Like