Session Token does not expire on log out

alex37 · January 9, 2023, 11:00pm

That is our server middleware, that check authentication:
auth.js

// Set up Auth0 configuration
const authConfig = {
  domain: 'auth0_domain',
  audience: 'auth0_audience',
};

// Define middleware that validates incoming bearer tokens
// using JWKS from YOUR_DOMAIN
module.exports = jwt({
  secret: jwksRsa.expressJwtSecret({
    cache: true,
    rateLimit: true,
    jwksRequestsPerMinute: 5,
    jwksUri: `https://${authConfig.domain}/.well-known/jwks.json`,
  }),

  audience: authConfig.audience,
  issuer: `https://${authConfig.domain}/`,
  algorithm: ['RS256'],
})

This validation passed successfully and joined auth0 user data to request, like this:

req.user: {
  iss: 'https://some-project.auth0.com/',
  sub: 'auth0|someId',
  aud: [
    'https://some-project.com',
    'https://some-project.auth0.com/userinfo'
  ],
  iat: 1673300522,
  exp: 1673386922,
  azp: 'string',
  scope: 'scopes'
}

We expect, that JWT check should not pass, because user already logged out on client.

Topic		Replies	Views
How to expire the token once user clicks log out from my application JWT.io	4	14100	August 29, 2019
Logout user once refresh token expires, instead of making call to /authorize endpoint to get new access and refreshtoken Get Help classic-universal-login-experience , login-experience	3	4188	February 16, 2023
Logged out after the cookie `auth0.is.authenticated` expires Get Help	5	4019	May 20, 2021
Auth0 session persist after using logout method in front end Get Help logout , auth0 , session	1	3847	October 9, 2020
Properly expiring tokens Get Help lock , jwt	5	2863	January 31, 2025

Session Token does not expire on log out

Related topics