I have an API that I want to protect with auth0 service. And I have 3 different client application types:
IOS application, Android application and Single page web application all of them are first-party. They developed by the same organisation as the API and they prompt users to enter their credentials (username/password).
All of them are registered as 3 distinct applications in the auth0 dashboard and have different application types and client ids.
And now I want to add a button that most often called “log out from all devices”. It revokes all refresh token on IOS applications, Android applications and Single page web applications. But the revoke token method that I mentioned will revoke only tokens that belong to the current app. So it means if user presses this button from the IOS application only IOS tokens will be revoked and android and web tokens will keep working.
I want this button to log out all first-party applications(all devises where user is logged in).
How can I achieve the desired behaviour?
Auth0 Management API v2 to delete a grant, iterating over the results from the previous step.
Note that you won’t be able to make requests to the Management API directly from a public client (like the native and SPA apps). So the apps would talk to your own API, and your API would in turn talk to the Auth0’s Management API to delete the grants (and thus invalidate the existing refresh tokens).
Thanks for the answer. It helped indeed!
But I have another, related question. I will ask it here if you don’t mind.
Most often when you show such “log out of all devises” button you also show user-agent parsed information about those devises such as Phone model, OS, Browser/Application name, IP address, last time it was used, etc.
When first-party applications call my API, the backend only has the access token provided by the application, but this token lives a short period of time and I can’t associate that user-agent information with the access token. A better alternative is to associate it with the refresh token since it’s permanent, but applications shouldn’t send refresh tokens to the API as I understand. Taking into account your previous answer I think it could be associated with the grand id that I use to delete a grant, but I don’t know how to get grand id from the access token.
How could it be accomplish?
Let me know If it’s better to have this question in a separate topic.