Overview
This article explains how to revoke refresh tokens when a user changes their password automatically.
Applies To
- Refresh Tokens
- Post-change password action
Cause
When a user resets their password, their sessions are terminated; however, refresh tokens will remain valid.
Solution
The Management API has some endpoints for revoking refresh tokens in bulk or by ID:
A post-change password flow could be used to trigger this refresh token revocation endpoint after a user successfully reset their password. For example:
exports.onExecutePostChangePassword = async (event, api) => {
const ManagementClient = require('auth0').ManagementClient;
const management = new ManagementClient({
domain: event.secrets.domain,
clientId: event.secrets.clientId,
clientSecret: event.secrets.clientSecret
})
const params = {user_id: event.user.user_id};
try {
console.log("Deleting refresh tokens for user: ",event.user.user_id);
const res = await management.users.deleteRefreshTokens(params);
} catch (err) {
console.log("Error revoking refresh tokens:",err);
}
};
Please see this article and the following Github page for more information on using the Management API in Actions:
Some additional information on revoking refresh tokens can be found here:
Please note that local application sessions would need to be handled separately in most cases, but backchannel logout does allow for helping to synchronize this on certain events: