Can a malicious user easily prevent to be logged out?

If I read this code right:

All that is done to check if the user is logged in is to check if the JWT token is signed with the right keys.
So if I want to log out a user and he just chooses to keep the JWT then he could just stay signed into my API?

Hi @bag

It is not easy to revoke an access token (you can do it, but that complicates things in bad ways).
Instead, you should make access tokens have a short lifespan. The exact lifespan will depend on your security needs.

John

1 Like

Is there any high level guide on how I should setup Auth0 when I have a frontend React Application and an API then? The guide above does not really explain how it expects you to setup your own sessions.
Questions that come to my mind:

  • Should I call Auth0 from React or from my backend API (Elixir/Phoenix)?
  • At which point in time should my backend create a session for the user?

It would help to have an overview of how the normal registration, login and authentication process would work (which part makes which request in which order).

This post by Vittorio explains a lot: OAuth2 Implicit Grant and SPA

The basic approach for SPAs is covered here: Auth0 Single Page App SDK

If you have a SPA that has a BFF, you can use the classic web app approach instead, using “Auth Code” instead of “Auth Code + PKCE”: Authorization Code Flow

John