Detect stale access token at the API end

ritiwari369 · November 14, 2022, 7:23am

Hi

Even after logout at REACT client end (logout() from auth0), my node server is still accepting Access tokens (I’m checking token expiry and verfying sign):-

if (decodedJwt.payload.exp < currentTime ||   decodedJwt.payload.iat > currentTime) return 403;

jwt.verify(jwtoken, signingKey, {'algorithms': decodedJwt.header.alg}, (error) => { return 403; }

So how can I detect that token in request is stale or flushed/blocked by auth0?

Thanks

dan.woda · November 28, 2022, 5:35pm

Hi @ritiwari369,

In the context of Auth0, JWT access tokens are stateless and aren’t “revoked” when a user logs out. If a token is not expired and has the correct claims, it is valid.

For this scenario, I would recommend using short-lived tokens that expire more quickly. Access Tokens

system · December 12, 2022, 5:36pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.