Revoke Refresh Tokens when a User Changes or Reset Password after Account Compromise

Overview

This article explains how to revoke refresh tokens when a user changes their password automatically.

Applies To

  • Refresh Tokens
  • Post-change password action

Cause

When a user resets their password, their sessions are terminated; however, refresh tokens will remain valid.

Solution

The Management API has some endpoints for revoking refresh tokens in bulk or by ID:

A post-change password flow could be used to trigger this refresh token revocation endpoint after a user successfully reset their password. For example:

exports.onExecutePostChangePassword = async (event, api) => {

const ManagementClient = require('auth0').ManagementClient;

const management = new ManagementClient({
  domain: event.secrets.domain,
  clientId: event.secrets.clientId,
  clientSecret: event.secrets.clientSecret
})

const params = {user_id: event.user.user_id};

try {
  console.log("Deleting refresh tokens for user: ",event.user.user_id);
  const res = await management.users.deleteRefreshTokens(params);
  
} catch (err) {
  console.log("Error revoking refresh tokens:",err);
}

  
};

Please see this article and the following Github page for more information on using the Management API in Actions:

Some additional information on revoking refresh tokens can be found here:

Please note that local application sessions would need to be handled separately in most cases, but backchannel logout does allow for helping to synchronize this on certain events: