Refresh token not being invalidated after login in different window (after password reset)

  • Which SDK this is regarding: auth0-react
  • SDK Version: 1.4.0
  • Platform Version: Node 14.15.0

Hi! As I read in the documentation for Rotating Refresh Tokens, once enabled it should automatically only allow the latest issued refresh token. Meaning, if I have 2 windows, each in the same SPA using Auth0, I shouldn’t be able to perform actions in the app in one of them once its refresh and access token have both expired, is that right?

However, this is exactly what I can do with my SPA right now. Specifically, if I keep my session open in one tab, and in another window reset my password and login again - expecting to get a new refresh token which invalidates the other window’s refresh token - I can perform actions from both windows without restrictions.

My SPA uses Auth0’s React SDK, and we have enabled rotating refresh tokens. Any help regarding what I might be missing?

1 Like