Revoke Refresh Token on Logout

Feature: Remove refresh token from Active devices on logout

Description: When a user logs out of a SPA, calling the logout endpoint does not revoke the refresh token. This leaves it available for use if it is compromised on the client-side or in transit. The revoke refresh token endpoint can be called, separately, but it would be good to remove the refresh token for the device on logout.

Use-case: We’re building a SaaS AI SPA and use Auth0 to protect access to our resource APIs.

Hey there!

Thank you for creating this feedback card. Let’s see who else from community will be interested in such improvement!

2 Likes

hi, everyone
+1 to this question

it is really implicit behavior, and official documentation (here Refresh Token Rotation) doesn’t describe this behavior.

i think it happens because Auth0 creates refresh tokens in separate ‘families’ and removes only tokens from the current session family when detects reuse but i can mistake.

PS
maybe we don’t see active feedback from other users, because they don’t know about this

finally :slight_smile: , i have found one paragraph about that behavior in official documentation, maybe someone will be interested in Token Best Practices

could pls someone explain this behavior?
because I fully agree with the author about the token leakage