Failure to revoke refresh token


I’m currently using the Angular Auth0 SDK and refresh tokens to be able to give the ability to keep users logged in when a user updates their Auth0 email address. In doing this I ran into issues where the user was unable to fully log out because on log out the Angular app would re-initialize on our logout page and use the refresh token to retrieve a new access token, thereby logging the user back in silently.

I was recommended by an Auth0 employee to call the Auth0 revoke API on logout to revoke the refresh token since it seems the SPA library revokes the refresh token on logout but the Angular Auth0 SDK doesn’t yet. However, it’s possible the API call could fail which would mean the refresh token wouldn’t be revoked and the user could be logged back in silently on app re-initialization. My main concern here is that I don’t want to deceive any users into thinking they’ve logged out when they haven’t really been.

Are these the correct steps in using refresh tokens and the Angular Auth0 SDK to log a user out?
Is it a common scenario that the revoke call fails and the user remains logged in?


Hi @finnbai!

It sounds like the primary issue might be the app re-initializing on logout? Just looking at our sample app I’m unable to reproduce this behavior.

FWIW refresh token rotation is the preferred mechanism in a SPA app as revoking the refresh token actually destroys the entire grant itself - This results in user consent being lost and requiring the user to consent again on the subsequent login. The Angular SDK should remove any local copy of the RT, so unless you suspect leaks there really shouldn’t be any reason to fully revoke.

Some more on best practices here:

Hope this helps!

Thanks, @tyf

I spun up the sample application and used it with refresh tokens and set the cacheLocation to ‘localstorage’. I’m also unable to reproduce the issue I’m seeing in my own app but they both seemed to be configured the same. Both applications initialize the same (through the app.module) but only mine will re-login the user. It seems like there must be some other configuration in my Auth0 tenant that could be causing this functionality but I’m not entirely sure what the difference could be.

I also removed my code that calls the API to revoke the refresh token but the majority of the time the user is re-logged in on app load. I tried setting the returnTo parameter of the Auth0 logout function to a different domain and without revoking the refresh token it seems very inconsistent. On logging out one of these three scenarios will occur:

  1. Correctly navigate the user to the returnTo URL and on revisting the app the user will be logged out correctly.
  2. Correctly navigate the user to the returnTo URL but on revisting the app the user will be logged in again.
  3. Incorrectly navigate the user directly to the Auth0 login screen and never reach the returnTo URL.

I checked that the Refresh Token Rotation was enabled and it was so I experimented with the Reuse Interval. When I set this value to 1 second it was correctly logging the user out without having to revoke the refresh token but would always navigate the user to the Auth0 login page rather than the URL I specified in the returnTo parameter.

Do you know of any reason this inconsistency could be occurring? Right now as I type this I’m able to log out and log in with no issues but I don’t feel like I can trust that in the future.

Hi @tyf

I noticed that if I log on, log out immediately, and re-open the app I will be sent to the login page correctly but if I login, keep the app open for 5 minutes, log out, and re-open the app that I will be auto logged back in. So I’m not too sure what’s happening at 5 minutes that makes this possible.

I don’t think I’m fully understanding how these tokens are kept alive if I use the Angular Auth0 SDK logout function and then manually delete the local and session storage. How does the application have any information to re-log me back in?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.