We were able to find that the Session Token does not expire on log out. This is highly risky as anyone who gets access to the token can reuse it to access the website even if the user has logged out.
We use SPA + API. Our back-end implemented according to recommendation: Node.js API Implementation (SPAs + API).
Is there any solution to resolve this on auth0 side? Or we need to implement kinda custom application session to track when user is login/logout?
Hi.
Yes, we use /v2/logout when we log out user from client (SPA).
On client logout works correct.
But if after logout on client we try to fetch data from server (by using http client with credentials from client before log out) - server send response with data (same as when user is logged in).
It looks like you are trying to verify that the Access Token is a JWT and read the payload data. This is equivalent to taking the Access Token and pasting that into jwt.io to see its contents.
In other words, you are decoding an invalidated (old) access token with the same payload data. If you try to use it, you won’t have access to protected resources. You should expect a 401 Unauthorized error when you use this access token.
So as I understand our implementation is correct and JWT should return 401 Unauthorized error when we decoding invalidated (old) access token?
If yes, then it does not work as expected in my case. Even after user log out, if I put old access_token to JWT - it decodes it successfully and return payload.
I also tried to use old access_token in userInfo request, and it works:
GET https://YOUR_DOMAIN/userinfo
Authorization: 'Bearer {ACCESS_TOKEN_OLD}'
Do you have any ideas why? (I have an assumption that using /v2/logout does not invalidate the access_token and it’s still work until expiration date is relevant?)
The code snippet you shared is for validating the access token. For example, you can force the validation to fail by not passing an audience parameter to return an opaque access token. This would cause the JWT check to fail and not allow it to be used against the API.
Next, when using an access token, you must use it to access an API’s protected resource. So for example, if an audience parameter was set and the user has logged out by calling /v2/logout then using that access token with that API will fail. Similarly, if the access token expires on its own, it cannot be used.
I recommend reviewing our Logout documentation again if you have any doubts about the /v2/logout endpoint.
Please let me know if I can help answer any further questions.
Thank you for the explanation.
I came to conclusion, that we missed Application Session Layer in our back-end.
From instruction Application Session Layer: The first layer is the session inside your application. Though your application uses Auth0 to authenticate users, you'll still need to track that the user has logged in to your application.
If you have some example of it’s implementation, please share.