Revoke Refresh Tokens when a User Changes or Reset Password after Account Compromise

Overview

This article explains how to revoke refresh tokens when a user changes their password automatically.

Applies To

• Refresh Tokens
• Post-change password action

Cause

When a user resets their password, their sessions are terminated; however, refresh tokens will remain valid.

Solution

The Management API has some endpoints for revoking refresh tokens in bulk or by ID:

• Manage Refresh Tokens with Auth0 Management API
• Revokes selected resources from a user

A post-change password flow could be used to trigger this refresh token revocation endpoint after a user successfully reset their password. For example:

exports.onExecutePostChangePassword = async (event, api) => {

const ManagementClient = require('auth0').ManagementClient;

const management = new ManagementClient({
  domain: event.secrets.domain,
  clientId: event.secrets.clientId,
  clientSecret: event.secrets.clientSecret
})

const params = {user_id: event.user.user_id};

try {
  console.log("Deleting refresh tokens for user: ",event.user.user_id);
  const res = await management.users.deleteRefreshTokens(params);
  
} catch (err) {
  console.log("Error revoking refresh tokens:",err);
}

  
};

Please see this article and the following Github page for more information on using the Management API in Actions:

• Using the Management API in Actions
• deleteRefreshTokens

Some additional information on revoking refresh tokens can be found here:

• Revoke Refresh Tokens

Please note that local application sessions would need to be handled separately in most cases, but backchannel logout does allow for helping to synchronize this on certain events:

• OIDC Back-Channel Logout
• OIDC Back-Channel Logout Initiators