Log out from all first-party applications

Hi. I now that auth0 API has method to revoke a refresh token:
https://auth0.com/docs/api/authentication#revoke-refresh-token
And it also revokes all other refresh tokens for that user and that application.
But let’s consider an example:

I have an API that I want to protect with auth0 service. And I have 3 different client application types:
IOS application, Android application and Single page web application all of them are first-party. They developed by the same organisation as the API and they prompt users to enter their credentials (username/password).

All of them are registered as 3 distinct applications in the auth0 dashboard and have different application types and client ids.

And now I want to add a button that most often called “log out from all devices”. It revokes all refresh token on IOS applications, Android applications and Single page web applications. But the revoke token method that I mentioned will revoke only tokens that belong to the current app. So it means if user presses this button from the IOS application only IOS tokens will be revoked and android and web tokens will keep working.
I want this button to log out all first-party applications(all devises where user is logged in).
How can I achieve the desired behaviour?

1 Like

Hi @georgysavva. Welcome!

I want this button to log out all first-party applications(all devises where user is logged in).

You can do so by invalidating all grants related to the user. In order to do so you would use:

Note that you won’t be able to make requests to the Management API directly from a public client (like the native and SPA apps). So the apps would talk to your own API, and your API would in turn talk to the Auth0’s Management API to delete the grants (and thus invalidate the existing refresh tokens).

Does that help?

2 Likes

Thanks for the answer. It helped indeed!
But I have another, related question. I will ask it here if you don’t mind.
Most often when you show such “log out of all devises” button you also show user-agent parsed information about those devises such as Phone model, OS, Browser/Application name, IP address, last time it was used, etc.
When first-party applications call my API, the backend only has the access token provided by the application, but this token lives a short period of time and I can’t associate that user-agent information with the access token. A better alternative is to associate it with the refresh token since it’s permanent, but applications shouldn’t send refresh tokens to the API as I understand. Taking into account your previous answer I think it could be associated with the grand id that I use to delete a grant, but I don’t know how to get grand id from the access token.
How could it be accomplish?
Let me know If it’s better to have this question in a separate topic.

We’ll take the discussion for the last question into the newly created topic: Save and show logged in device information for each access token

1 Like

Thanks Nico for letting others know!

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.