Revoke Refresh Token on Logout

Feature: Remove refresh token from Active devices on logout

Description: When a user logs out of a SPA, calling the logout endpoint does not revoke the refresh token. This leaves it available for use if it is compromised on the client-side or in transit. The revoke refresh token endpoint can be called, separately, but it would be good to remove the refresh token for the device on logout.

Use-case: We’re building a SaaS AI SPA and use Auth0 to protect access to our resource APIs.

Hey there!

Thank you for creating this feedback card. Let’s see who else from community will be interested in such improvement!

5 Likes

finally :slight_smile: , i have found one paragraph about that behavior in official documentation, maybe someone will be interested in Token Best Practices

could pls someone explain this behavior?
because I fully agree with the author about the token leakage

1 Like

Hi all!
+1 for this feature.
We are currently exploring the implementation of a centralized logout feature that spans across multiple applications deployed on distinct domains, specifically domain1 and domain2. Our objective is to enhance the user experience by ensuring that when a user initiates a logout from the application on domain1, their session is also effectively terminated on domain2. However, we are facing a challenge due to the persistence of an active refresh token on domain2, even after the user has logged out.

Here’s the scenario we are dealing with:

We have multiple applications deployed on separate domains, namely domain1 and domain2.
Upon initiating a logout from the application on domain1, we aim to trigger a corresponding session termination on domain2.
The complication arises from the presence of an active refresh token on domain2, allowing continued authorization even post-logout.

1 Like

+1 here, this is an absolute need because of:

No support in the SDK means many security issues for sure for many users of Auth0.

1 Like

+1 Here. It would be really nice have this.

+1 from me as well, facing a similar issue to the one @asatretdinov described.

+1 for me as well. It would make managing user’s sessions as an admin easier.

Yes, when a user logs out, the refresh token should be invalidated automatically. Auth0 should call the /revoke API itself.