Invalidating an access token when user logs out

Hi,

I have built a set up where authentication is performed in a front end application and the resulting access token is used for authenticating the user with the back end API. Now, if a user were to logout, the access token is still valid and therefore, the user is able to perform API actions even if the user is logged out. So, is there any way to explicitly invalidate a user’s access token when the user logs out?

Also, we have another workflow where a user’s session must be terminated when a system administrator requests a password reset for a user in our application back end. So, how do we invalidate the target user’s access token in this case?

1 Like

Hi @Sargent_D

Access tokens cannot be invalidated: they are designed to be self contained, not requiring a check with Auth0 to validate, so there is no way to invalidate them.

For this reason, access tokens should have a short lifetime.

When your FE application logs the user out, it should discard the access token to prevent further activity. This is not foolproof of course, for that you need shortlived access tokens.

John

3 Likes

So, if a user were to copy the access token after logging out, they would be able to execute API calls to the backend as if they were logged in. Is there really no other way to prevent a user from doing so or does this warrant some workaround in the backend?

Hi @Sargent_D

The workaround, as noted above, is to use short lived access tokens. This requires some evaluation on the tradeoffs.

Access tokens are designed to be self contained, this by definition means they are hard to “disable”.

John

1 Like

Understood. So, suppose if I set the token lifetime too low, would that mean that the user would be logged out while they are still in the middle of some activity when the token expires?

Probably not. That is controlled by the session length, not the access token length.
If the session times out then the attempt to get a new access token will fail and require the user to enter their credentials.

John

1 Like

My bad. I misunderstood the statement. So, the user won’t be logged out, but the user will not be authenticated with the backend either, right? I am using Auth0’s Spring Security library to authenticate the user in the backend using the access token received then the user logs into the frontend via pre-authentication token. So, if the token expires while the user is logged in, all of their API calls will return 401. How do I get a new token in this case?

Use Silent Auth, aka prompt=none:

John

This method assumes using universal login, from what I understand.

Your Auth0 Authorization Server redirects the user to the login and authorization prompt.

We don’t use the Auth0 universal login in our application. We use embedded login using the Auth0 JS web SDK. So, can this be done using that?

Hi @Sargent_D,

That is one of the many advantages of the Universal Login Page over embedded.

John

We had planned on using the universal login earlier, until we learned that there was no way to enroll a user for MFA using the phone number that we had in our database. That is we did not want to give the user an option to enroll their own phone number for MFA for security reasons because there could be a possibility that the user could enroll someone else’s number if given the option to do so.

That is why we use embedded login to design our own custom design to enforce this requirement.

So, if I were to have a short lived access_token, what is the shortest time that I can have it be valid for? I was thinking that 5 mins should be good, but I could go down to 1 minute if it’s feasible. This also means that the access token would have to be refreshed every 1 minute as well.

BUMP - I am in a similar situation: React app front end with Node.js backend server with APIs (only mine are implemented with the ‘auth’ Node.js library) that the front end calls to sign up, log in, and log out users. To top up on Sargent_D’s question: if the access_token cannot be revoked, then what does calling the /oidc/logout endpoint do anyway? In my backend server, the /logout route performs a GET to:

https://${AUTH0_DOMAIN}/oidc/logout?id_token_hint=${idToken}&post_logout_redirect_uri=${LOGOUT_REDIRECT_URL};

I would have assumed that providing the id_token_hint tells Auth0 to log the user associated with the id_token out of Auth0 (end the session, etc.). However, when I examine my applications logs, I see a “successful logout” however there is no user or database connection associated with it. Should I be passing additional parameters to the /oidc/logout endpoint?

Thank you!

1 Like

Hey there, everyone!

I’m excited to inform you about our next Ask Me Anything session in the Forum on Tuesday, July 30, with the Product Management team. If you have questions about upcoming features like FGA, Manage Sessions in Actions, or SCIM. Submit your questions now, and our esteemed product experts will provide written answers on July 30. I can’t wait to see you there!

Learn more here!