Unfortunately, I haven’t been able to get this working because I can’t find a way to retrieve all of a user’s existing refresh tokens. The
/api/v2/device-credentials endpoint does not list refresh tokens issued in the SPA flow, and if there’s another endpoint that does, I haven’t been able to find it.
I haven’t been able to figure out an appropriate workaround so far.
- Revoking tokens pre-login using the
/oauth/revoke endpoint won’t work without an existing refresh token. I don’t see a way to revoke tokens from previous sessions without also revoking the token for the current session.
- I thought revoking the application grant pre-login might work, but degrade UX by forcing the user to authorize a new grant on every login. Instead, the grants are auto-authorized (presumably because they’re first-party?), and the SPA is able to login again without the user re-entering their credentials. Because my goal is to deter users from sharing a single account, this doesn’t suit my needs.
- It seems possible that I could configure Auth0 to treat my SPA as a device such that its refresh tokens would accessible via
/api/v2/device-credentials, but this seems like it might be a lot of work and I’m not confident I would be able to do it securely.
Am I missing something? Does anyone have any suggestions?