Unfortunately I’ve had to submit a third question on this topic. If topics were left open for continued discussion that may be beneficial for the community.
As noted in this question, there are situations where revoking a refresh token will make other refresh tokens also become invalid. Is there any alternative that will allow making a refresh token invalid without deleting all the same grants behind the scenes (thus revoking ALL refresh tokens)? Surely we’ve all used features / tools like gmail that allows perpetual logins, and logging out does not log out all users of that account. I’m trying to do the same with Auth0. Refresh tokens get part of the way, but I need the ability to revoke a refresh token while allowing other refresh tokens to remain valid.
As it has been more than a few months since this topic was opened and there has been no reply or further information provided from the community as to the existence of the issue we would like to check if you are still facing the described challenge?
We are more than happy to assist in any way! If the issue is still out there please let us know so we can create a new thread for better visibility, otherwise we’ll close this one in week’s time.
The question is still valid for me. If an account has logged in on 2 devices (and thus has 2 valid refresh tokens), I would like a way to revoke one but not the other refresh token. I see this as a difference between “log out” and “log out all devices”. Seems like Auth0 has the latter but not the former. This means every native “log out” is effectively a “log out all devices”.