We’re looking to set up a react js and react native app which will use access and refresh tokens to talk to our backend API.
When the user changes their password we would like to log them out of all active sessions, as a reason for changing their password might be that their account got compromised.
I know we can revoke refresh tokens for a given user, and I also understand there’s no way to invalidate an access token. If we don’t want to refresh our access token very frequently that still leaves a gap for an attacker.
I was wondering if you had any guidance on how we could build our own system leveraging auth0 to handle this use-case. I can’t imagine we’re the first to run into this issue.
Hi,
You can leverage Auth0’s post-change-password hook to revoke refresh tokens.
This will effectively end all sessions and require re-authentication for the user.
Since access tokens are stateless and cannot be invalidated directly, setting them with a short lifetime and using refresh tokens is recommended.
When a password change occurs, revoking the refresh token ensures that any active session is terminated
Hope this helps!
Indeed, as mentioned by @Fario_Consulting, if you are using a SPA application, the password change should invalidate all sessions on the Auth0 Session Layer, all the solutions provided by them should do the trick for the issue that you are having.
Regarding sessions, there is the Auth0 session, which exists as a cookie and that cookie should be invalidated automatically on PW change, there is the application session, which is a completely separate layer, and there is also the IDP session, which may or may not be auth0 depending on your connection, you may also not want to log the user out of this session if it is Google for instance.
If you have any other questions, feel free to let us know by leaving a reply!
You can change it to anything lower than 3600 seconds (1 hour), however it depends to what you find suitable for your use case. I would recommend using anything between 300 and 1800 (5 -30 minutes) to see which ones behaves the best for your application.
If the application layer is not being terminated, that would be true, however, since you are using a React, you should be able to use the logout() method. The `logout() method from Auth0 React SDK clears the application session and redirects to the Auth0 /v2/logout endpoint to clear the Auth0 session.
You can pass an object argument to logout() to customize the logout behavior of the React application.