Feature: Remove refresh token from Active devices on logout
Description: When a user logs out of a SPA, calling the logout endpoint does not revoke the refresh token. This leaves it available for use if it is compromised on the client-side or in transit. The revoke refresh token endpoint can be called, separately, but it would be good to remove the refresh token for the device on logout.
Use-case: We’re building a SaaS AI SPA and use Auth0 to protect access to our resource APIs.
Hi all!
+1 for this feature.
We are currently exploring the implementation of a centralized logout feature that spans across multiple applications deployed on distinct domains, specifically domain1 and domain2. Our objective is to enhance the user experience by ensuring that when a user initiates a logout from the application on domain1, their session is also effectively terminated on domain2. However, we are facing a challenge due to the persistence of an active refresh token on domain2, even after the user has logged out.
Here’s the scenario we are dealing with:
We have multiple applications deployed on separate domains, namely domain1 and domain2.
Upon initiating a logout from the application on domain1, we aim to trigger a corresponding session termination on domain2.
The complication arises from the presence of an active refresh token on domain2, allowing continued authorization even post-logout.