Revoke refresh tokens after password change

When an account resets password I need all logged in sessions of that account to logout. I set the refresh token to update every 5 minutes. I made a trigger action based on this example from the docs: Actions Triggers: post-change-password. In the first example is what I am looking for. The only thing is they call their own api, not the auth0 api. The auth0 revoke refresh token api requires the refresh token id which I dont have access to in that scope. Any other solutions?

Hi @chriscosentino,

Are you using rotating refresh tokens? If so, automatic re-use detection could do this for you, as only the latest Refresh Token would be accepted, if any Refresh Token in the ‘family’ was reused, all Refresh Tokens would be invalidated and require the user to re-authenticate to get a new Refresh Token.
So after a password reset, it would only take the legitimate user a single attempt to get a new Refresh Token to invalidate all other refresh tokens and ensure only the user with the latest password could get a new one.

If you still wanted to go down the route of revoking refresh tokens straight away, you would need to call the GET Device-credentials endpoint in your action to fetch the user_id’s refresh tokens, and then subsequently revoke it:

There is a guide here on how to use the Management API within Actions:

1 Like

Thanks for helping on this one Steve!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.