Last updated: Oct 16th, 2024
Overview
This article clarifies whether it is possible to invalidate a user’s access token after logging out.
Applies To
- Access Tokens
- Refresh Tokens
- Rotating Refresh Tokens
Cause
There are a number of factors at play regarding a user’s session and logout:
- Multiple Session Layers
- Auth0 Session Layer
- Application Session Layer
- Identity Provider Session Layer
- Tokens
- Access Tokens
- Refresh Tokens
Solution
JWT Access Tokens cannot be revoked. They are valid until they expire. Since they are bearer tokens, there is no way to invalidate them. If the token is used for accessing sensitive resources, Auth0 recommends using short-lived access tokens to mitigate the risk of someone copying and misusing a token.
NOTE:
- In SSO scenarios, when an Application performs a logout operation to Auth0, the user’s Auth0 session is killed. If any other applications reach out to Auth0 to check the user’s session, it will find the user has no active session, and they will be logged out of that application.
Without reaching out to Auth0 to check the user’s session, the secondary applications will not automatically know this has happened in the primary application, and no action will be performed. This is why an Application should be configured to check Auth0’s session. - Access Tokens are valid until the expiration date and cannot be invalidated. Only Refresh Tokens (RT) can be revoked.
- Long-lived Refresh Tokens, like non-rotating refresh tokens, are not suitable for SPAs because there is no persistent storage mechanism in a browser that can assure access by the intended application only.
- Rotating Refresh Tokens (RRT) were created for SPAs to prevent the loss of sessions (referenced using cookies) caused by browsers blocking third-party cookies. Generally speaking, SPAs use rotating refresh tokens or silent authentication with session cookies to refresh access tokens.
Single Logout (SLO) is a feature that allows a user to terminate multiple authentication sessions by performing a single logout action. Auth0 supports SLO connecting the application to a SAML Identity Provider (IdP) and supports limited SLO when configuring Auth0 as a SAML IdP.
For OIDC-based regular web applications, customers with Enterprise subscriptions have the alternative of OIDC Backchannel logout; this allows a session termination event on the tenant to trigger additional logout procedures on registered application endpoints to clear out the relevant user’s session and delete any stored tokens for example. The currently supported initiators for backchannel logout are documented here.
Related References