Invalidating an Access Token after User Logout

Problem statement

Is it possible to invalidate a user’s access token after they have finished logging-out?

Cause

There are a number of factors at play regarding a user’s session. First, there are multiple session layers:

most notably for this case, the Auth0 session layer and your application’s session layer (this may or may not be configured). Next are the tokens returned during authentication, the two which are relevant to this scenario being access tokens and refresh tokens.

Solution

JWT access tokens are valid until they expire, there is no way to invalidate them since they are bearer tokens. If the token is used for accessing sensitive resources, Auth0 recommends using a short access token lifetime to mitigate the risk of someone copying a token and then logging out.

A few things to note:

  • When any of your applications perform a logout (/v2/logout), this kills the user’s Auth0 session. If any of the other applications should reach out to Auth0 to check a user’s session, it will find the user has no active session and they will be logged out of that application. Without reaching out to Auth0 to check the user’s session, your secondary applications will not automatically know this has happened in the primary application.

  • Access tokens are valid until the expiration date, and cannot be invalidated. Only refresh tokens can be revoked (invalidated): Revoke Refresh Tokens

  • Long-lived refresh tokens, i.e. non-rotating refresh tokens are not suitable for SPAs. Refresh Token Rotation

  • Rotating refresh tokens (RRT) were created for SPAs due to the problem of sessions, which are referenced using cookies, being lost as the result of newer browsers blocking third-party cookies (same docs as above). This is a key point. Generally speaking, SPAs either use rotating refresh tokens or silent authentication with session cookies to refresh access tokens.

Single Logout (SLO) is a feature that allows a user to terminate multiple authentication sessions by performing a single logout action.

Auth0 supports SLO when you connect your application to a SAML Identity Provider (IdP) and supports limited SLO when you configure Auth0 as a SAML IdP.

More info on this can be found here:

1 Like