Let’s say we’re using Auth0 user/password connection to store users, and we give a client a short live acess token and long lived renew token. They access our SaaS fine. All good so far
Then what happens if we do the following from the Auth0 dashboard.
We click ‘Block User’ from the Actions drop down button for that particular user
or
We click ‘Applciations’ tab for that particular User and revoke that particular application for that user
I am hoping the answer is that requesting a new access token via the renew token will fail since either of those actions will invalidate the renewal token but I wanted to make sure, docs are not clear, can you please confirm?
If the user is blocked due to brute force attack, the user will still be able to renew a token using the refresh token.
If you revoke an application from Authorised Application tab in User details, the refresh token will be revoked and trying to renew will throw error message.
I need to revoke the refresh token if the user account is blocked and couldn’t find any solution for that
Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.
Wanted to reach out to know if you still require further assistance?
