Having Trouble on Remove Auth0 Session When Logout From Front End

JayKiller · September 23, 2019, 8:03pm

Perhaps I’m missing something with my understanding of how this all works, so please bare with me

we have both front end and back end app for authenticate our user account. The front-end app can login and logout without any issue and it works perfectly. When I logout the user from my front-end app, the access_token is still validated (and it never destroy on Auth0) . I can still use that access_token to make a request to my back-end/api because the expiration date is not yet passed. I had been reading so many articles about how to deal with it. Is there a better way to revoke the access_token from auth0 or any control that I can do for it? I need my users to be login to their computer or device without logout within 3 days. Do not suggest me to change the session in 3 mins like that. I need a better way to keep user login, and when they logout out. My back-end can know that the access_token is invalided.

Thank you any helpful tips

dan.woda · September 25, 2019, 9:28pm

Hi @JayKiller,

What type of framework are you working with? You should be logging out in your front end by deleting the token and ending the session with the server via the /logout endpoint.

Let me know,
Dan

dan.woda · September 26, 2019, 11:06pm

From an email:

Access Tokens cannot be revoked, by design.

I would like to talk about your implementation because it sounds like there is a problem with them persisting after logout. Logout means a series of things, it can mean deleting a token, it can mean ending a session with the auth server, or removing a cookie. In addition to ending the session (via the /logout endpoint) you must delete the token and thus “logout”.

Thanks,
Dan

dan.woda · October 11, 2019, 3:06am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.