If I read this code right:
All that is done to check if the user is logged in is to check if the JWT token is signed with the right keys.
So if I want to log out a user and he just chooses to keep the JWT then he could just stay signed into my API?
Hi @bag
It is not easy to revoke an access token (you can do it, but that complicates things in bad ways).
Instead, you should make access tokens have a short lifespan. The exact lifespan will depend on your security needs.
John
Is there any high level guide on how I should setup Auth0 when I have a frontend React Application and an API then? The guide above does not really explain how it expects you to setup your own sessions.
Questions that come to my mind:
It would help to have an overview of how the normal registration, login and authentication process would work (which part makes which request in which order).
This post by Vittorio explains a lot: OAuth2 Implicit Grant and SPA
The basic approach for SPAs is covered here: Auth0 Single Page App SDK
If you have a SPA that has a BFF, you can use the classic web app approach instead, using āAuth Codeā instead of āAuth Code + PKCEā: Authorization Code Flow
John