Logging user out when they change their password

We’re looking to set up a react js and react native app which will use access and refresh tokens to talk to our backend API.

When the user changes their password we would like to log them out of all active sessions, as a reason for changing their password might be that their account got compromised.

I know we can revoke refresh tokens for a given user, and I also understand there’s no way to invalidate an access token. If we don’t want to refresh our access token very frequently that still leaves a gap for an attacker.

I was wondering if you had any guidance on how we could build our own system leveraging auth0 to handle this use-case. I can’t imagine we’re the first to run into this issue.

Hi,
You can leverage Auth0’s post-change-password hook to revoke refresh tokens.
This will effectively end all sessions and require re-authentication for the user.
Since access tokens are stateless and cannot be invalidated directly, setting them with a short lifetime and using refresh tokens is recommended.
When a password change occurs, revoking the refresh token ensures that any active session is terminated
Hope this helps!

Hi @johan.lindell

Indeed, as mentioned by @Fario_Consulting, if you are using a SPA application, the password change should invalidate all sessions on the Auth0 Session Layer, all the solutions provided by them should do the trick for the issue that you are having.

Regarding sessions, there is the Auth0 session, which exists as a cookie and that cookie should be invalidated automatically on PW change, there is the application session, which is a completely separate layer, and there is also the IDP session, which may or may not be auth0 depending on your connection, you may also not want to log the user out of this session if it is Google for instance.

If you have any other questions, feel free to let us know by leaving a reply!

Kind Regards,
Nik

setting them with a short lifetime and using refresh tokens is recommended.

How short is short?

You can change it to anything lower than 3600 seconds (1 hour), however it depends to what you find suitable for your use case. I would recommend using anything between 300 and 1800 (5 -30 minutes) to see which ones behaves the best for your application.

Kind Regards,
Nik

Wouldn’t that mean that an attacker had free use of the system for another 5-30 minutes after a password change has been made?

Hi @johan.lindell

If the application layer is not being terminated, that would be true, however, since you are using a React, you should be able to use the logout() method. The `logout() method from Auth0 React SDK clears the application session and redirects to the Auth0 /v2/logout endpoint to clear the Auth0 session.

You can pass an object argument to logout() to customize the logout behavior of the React application.

This can be achieved as follows:

import { useAuth0 } from "@auth0/auth0-react";
import React from "react";

export const LogoutButton = () => {
  const { logout } = useAuth0();

  const handleLogout = () => {
    logout({
      logoutParams: {
        returnTo: window.location.origin,
      },
    });
  };

  return (
    <button className="button__logout" onClick={handleLogout}>
      Log Out
    </button>
  );
};

Also, in our React Native SDK, you have the clearSession() method to clear the session from the authorization server:

const LogoutButton = () => {
    const {clearSession} = useAuth0();

    const onPress = async () => {
        try {
            await clearSession();
        } catch (e) {
            console.log(e);
        }
    };

    return <Button onPress={onPress} title="Log out" />
}

Alternatively, you can implement Refresh Token Rotation in your application.

You can also review this knowledge article regarding Logging out after Password Change.

If you have any other questions or issues with your implementation, please let us know!

Kind Regards,
Nik

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.