I’m using a single page application, there are multiple users (admin, and user for example) I have two questions:
Does blacklisting the user revokes its access token immediately?
How can the admin revokes the access token of an active user to make him log out immediately? What api to call I mean?
March 28, 2019, 11:05am
Welcome to the Community! I may be wrong but I don’t believe you can revoke access tokens at all in Auth0, at least not yet (you can
revoke a refresh token). The recommended best practice is to keep your token lifetime short. @nicolas_sabena suggests an approach here:
With OAuth2, a client application receives an Access Token that lets the application access a resource (the API) on behalf of the user (there might be a consent step involved if the application is considered “third-party”).
If a user logs out of the application, that action alone does not (should not) invalidate the issued token, because the user already gave consent to the application to access the resource. If anything, the application should discard any tokens previously obtained…
August 30, 2019, 1:27pm
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.