Auth0 Home Blog Docs

Native logout with credential manager doesn't revoke the idToken

logout
credential-managemen
authenticationapicli

#1

After implementing Logout in my Native Android app, as in the docs (https://auth0.com/docs/quickstart/native/android/03-session-handling#log-out) and in the sample code (https://github.com/auth0-samples/auth0-android-sample/blob/use-cred-manager/03-Session-Handling/app/src/main/java/com/auth0/samples/MainActivity.java):

private void logout() {
     credentialsManager.clearCredentials();
     startActivity(new Intent(this, LoginActivity.class));
     finish();
}}

I’m still able to get user info by using the POST tokeninfo API. I should have got a 401 unauthorize instead.


#2

That is expected given the logout does not currently revoke any self-contained token that was already issued; by self-contained token I mostly mean a JWT (ID token or access token). The most widespread practice is that these tokens are valid until the expiration date with which they were issued meaning that you need to be conscious about the lifetime you configure for those tokens.


#3

@jmangelo Is there a way to use reference token instead of self-contained?


#4

@jmangelo Is there a way to use reference token instead of self-contained?


#5

ID tokens are always JWT’s by specification requirement and currently any access token issued to an API you configure in the APIs section is also a JWT although in the future other formats may be supported (including reference tokens). In addition, have in mind that even for reference tokens revocation is not mandatory so the fact that a reference token is used does not imply it’s possible to revoke them. I initially phrased my answer like that because revocation when supported is more frequently associated with reference tokens.


#6