Problem statement
Why does the Auth0 session not expire if a refresh token is revoked? This question is in the context of the Back Channel Logout specification.
This is detailed in the OIDC Back-Channel Logout documentation.
The scenario tested is as follows:
- Configure the Backchannel logout for a specific application.
- Login, including the “offline_access” scope, to get a refresh token.
- Once the refresh token is created, revoke it.
As a result, no request is received on the Backchannel Logout Endpoint, so the Auth0 session is not terminated.
Cause
The Auth0 session is not terminated because in order to trigger the Back-Channel Logout and terminate the session, the Back-Channel Logout Initiators must be configured.
Solution
To trigger the Back-Channel Logout and terminate the session, the Back-Channel Logout Initiators must be configured. This is detailed in the OIDC Back-Channel Logout Initiators documentation.
A set of triggers can be used to trigger the session termination. These can be indicated in the properties of the backchannel_logout_initiators object when making a call to the endpoint of the Management API.
PATCH /api/v2/clients/{yourClientId}
This is detailed in the Properties section of the OIDC Back-Channel Logout Initiators documentation.
Only the following values are supported:
- rp-logout
- idp-logout
- password-changed
- session-expired
- account-deleted
- email-identifier-changed