We use a third party website for comments into which we send the token.__raw from auth0. But there is a problem if user deletes his account from auth0, while he’s logged in and then opens the comments section. In this case we still send correct token to our comments provider. Is there a way to check if the user actually still exists (not just in cache) in frontend Auth0 Spa js?
Hi @mtester,
Welcome to the Auth0 Community!
You can check whether the user exists by calling the Management API’s Get a user endpoint. You can find the user_id
in the sub
claim of the access token you store.
Let me also share our Revoke Tokens documentation for your reference.
In the doc, it states that once an access token is issued, it cannot be revoked. Therefore, you should try to have tokens be as short-lived as possible and refresh the user periodically if the user stays active.
Thanks,
Rueben
But that has to be done on the backend then, as its not public and needs some authentication. I saw there is also the ManagementClient, but that one also needs some token and its suggested to not to use it on frontend.
Hi @mtester,
Thanks for following up.
With the auth0-spa-js SDK, there is actually a method called isAuthenticated
that you could use to determine if the user is logged in.
Could you please give it a try and let me know how it goes?
Thanks,
Rueben
That will do nothing, as the user is already logged in when we need to check if it still exists.
Hi @mtester,
If the user exists and is logged in, the isAuthenticated
method will return True.
If the user is removed while logged in, the isAuthenticated
method will return False.
In this way, you can determine if the user exists or not while logged in.
You can test this by yourself by creating a new user, logging them in, and then deleting them. You will see that their session is inactive.
Thanks,
Rueben
No it doesn’t. I just tested it. And it only works with the cached info as per its code here:
public async isAuthenticated() {
const user = await this.getUser();
return !!user;
}
public async getUser<TUser extends User>(): Promise<TUser | undefined> {
const cache = await this._getIdTokenFromCache();
return cache?.decodedToken?.user as TUser;
}
As you can see it only calls the getUser function which only decodes the user part of the cached token.
Hi @mtester,
Thank you for your reply and for testing this on your end.
I have just collaborated with my colleagues on this one, and it looks like the best course of action would be to make your tokens as short-lived as possible.
This is because you are sending the token to your comments provider, which will grant the user access for the lifetime of the token.
Once you have made the access token as short-lived as possible, it will force the user to re-authenticate to get a fresh token for usage. For this, you could either implement silent authentication or refresh token rotation.
Here are some helpful resources for your reference:
Please let me know if you have any questions.
Thanks,
Rueben
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.