How do we invalidate the refresh token for a user, whenever the user changes their password.

I guess i need a Rule for invalidating/revoking refresh token when a user changes password.
I took a look at “Check last password reset” Rule, but not quite sure how to use that.

You can revoke the refresh token through the Management API v2, outlined here: Refresh Tokens

If using the Check Last Password Reset rule, you could do the following:

// If password was reset within the last day
if (daydiff(new Date(last_password_change), new Date()) < 1) { 
    // Revoke refresh token here

EDIT: Using Authentication API Webhooks Extension

This method will call a Webhook on a schedule (e.g. every 5 minutes), for every change password event that have occurred during that period. It will query the Management API v2 to obtain all refresh tokens for the user that changed password, and revoke all of them.

  1. Create a Non-interactive client in Auth0. This will be used to perform a client_credentials flow to obtain an access_token for the Management API.
  2. In the Auth0 Management API in the API’s section, grant the Non-interactive client the read:device_credentials and delete:device_credentials scopes.
  3. Create a webhook (I have used Webtask) which will be called by the extension. The following code is a rough outline of how you would query and revoke the refresh tokens for the user:
    gist:17b11223140255fa829654c4cc1bd673 · GitHub
  4. Setup the Authentication API Webhooks extension for Change Password Success events, as a CRON job - I have set this to run every 5 minutes.

I have a webtask running, but it seems all login events are not being sent to the webtask.

Logins from an app that show up on the auth0 dashboard, don’t show up when logging to the console from a webtask and maybe vice-versa.

A sample event that is logged by the webtask:


The webhook is setup as a CRON job, hence the login events won’t be sent instantly, but rather at the configured time intervals (e.g. 5 minutes).

Would this mean that every time a user logs in from different device’s (during that day) all refresh tokens will be invalidated. Do we have to track “refresh_token_invalidated” dates in some user meta-data.

What are the alternatives to using the Check Last Password Rule. Can we invalidate refresh tokens as part of the password change process.

See my update above for using the Authentication API Webhook extension.