Having Trouble on Remove Auth0 Session When Logout From Front End

Perhaps I’m missing something with my understanding of how this all works, so please bare with me :slight_smile:

we have both front end and back end app for authenticate our user account. The front-end app can login and logout without any issue and it works perfectly. When I logout the user from my front-end app, the access_token is still validated (and it never destroy on Auth0) . I can still use that access_token to make a request to my back-end/api because the expiration date is not yet passed. I had been reading so many articles about how to deal with it. Is there a better way to revoke the access_token from auth0 or any control that I can do for it? I need my users to be login to their computer or device without logout within 3 days. Do not suggest me to change the session in 3 mins like that. I need a better way to keep user login, and when they logout out. My back-end can know that the access_token is invalided.

Thank you any helpful tips

Hi @JayKiller,

What type of framework are you working with? You should be logging out in your front end by deleting the token and ending the session with the server via the /logout endpoint.

Let me know,
Dan

From an email:

Access Tokens cannot be revoked, by design.

I would like to talk about your implementation because it sounds like there is a problem with them persisting after logout. Logout means a series of things, it can mean deleting a token, it can mean ending a session with the auth server, or removing a cookie. In addition to ending the session (via the /logout endpoint) you must delete the token and thus “logout”.

Thanks,
Dan

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.