Refresh token revocation

Problem statement

I am trying to achieve the goal of invalidating a user’s session on Auth0 native apps after they reset their password on the web app. I’m looking at doing this by revoking refresh tokens with the Management API so the user is logged out.

My question is that since a user could have many refresh tokens across multiple devices, would I need to revoke all of them by making multiple calls to this endpoint or would it be enough to just call it once with the first refresh token ID returned from here?

Since they are rotating refresh tokens that are expired when a new one is issued, should I revoke all refresh tokens to log the user out?

Solution

You can remove the offline_access grant for the user.

  1. Call GET /api/v2/grants?user_id=<user_id>
  2. Call DELETE /api/v2/grants/{id?} with the chosen grant id.

Deleting a grant will delete a device credential as well automatically. This approach deletes the user’s consent together with the Refresh Token.