Logout Not Invalidating Access Token in Machine-to-Machine Application

karthik.ravirambe · October 1, 2024, 6:52am

Ready to post? First, try searching for your answer.
Hello Auth0 community,

We are currently using Auth0 for authentication in a Machine-to-Machine (M2M) setup with our application server hosted on AWS. Users log in using the Password Realm (email/password), and we call the Auth0 API to obtain access and ID tokens upon sign-in.

Here’s the API we use to fetch the Access Token and ID Token for a user:

URL: https://{domain}/oauth/token

Method: POST

Request Body: (x-www-form-urlencoded)

grant_type: http://auth0.com/oauth/grant-type/password-realm
username: {email}
password: {password}
client_id: {clientId}
client_secret: {secret}
audience: {audience}
scope: openid profile email
realm: Username-Password-Authentication

The issue arises when trying to log the user out. We followed the steps outlined in the Auth0 documentation for logging out via the Auth0 Logout API, but the access token remains valid after logout, and the user is not completely logged out.

Here are the Logout APIs we’ve tried:

GET https://{yourDomain}/v2/logout?client_id={yourClientId}&returnTo=LOGOUT_URL
GET https://{yourDomain}/oidc/logout?post_logout_redirect_uri=LOGOUT_URL&id_token_hint=ID_TOKEN_HINT

While the Auth0 monitoring logs show a successful logout for the application, it doesn’t seem to apply to the user. After logging out, when we invoke the user info endpoint using the access token, we still receive user details instead of an unauthorized response.

API to validate the access token:

GET https://{yourDomain}/userinfo

Authorization: 'Bearer {ACCESS_TOKEN}'

Our setup:

Application Type: Machine-to-Machine (M2M)
Login Method: Password Realm (email and password)
Platform: AWS-hosted application server, using Auth0 APIs for token generation

What we are trying to achieve:

Successfully log out the user.
Invalidate the access token in the Auth0 server upon logout.

Has anyone encountered a similar issue or can provide guidance on how to ensure the access token is properly invalidated after the user logs out?

We appreciate any assistance or insights!

Thank you in advance.

rueben.tiow · October 1, 2024, 4:49pm

Hi @karthik.ravirambe,

Welcome to the Auth0 Community!

Unfortunately, JWT access tokens cannot be revoked and are valid until they expire. Hence, the token can be used against the /userinfo endpoint even though the user has already logged out.

In general, we recommend using short-lived access tokens to prevent token abuse/misuse.

I suggest referencing our Invalidating an Access Token after User Logout documentation for a detailed explanation.

Cheers,
Rueben

system · October 15, 2024, 4:49pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.