Hi there,
We have a ReactJS SPA in which we have given user the functionality to change password. For this, we use Management API via backend to send a password reset link. On resetting the password, it should invalidate all active sessions and ask the user to log back in by entering credentials.
I have read many SO questions but didn’t got the answer I am looking for. General pattern of answers is to use a ‘Change-Password’ webhook and invalidate all refresh tokens or unauthorize application for the user.
One similar question is this
This redirects here on how to revoke refresh tokens. For revoking with authentication API, it asks to send a POST request to /oauth/revoke endpoint. This we can do it in webhook but one of the parameters of this POST request is refresh token itself. In case of Post-Change Password webhook, we don’t get refresh token as argument.
Can someone please guide me into this?
@dan.woda Can you please help?
Thanks In Advance
The password reset should invalidate sessions. Are you not experiencing this?
*Note that I am referring to the auth0 session layer
Yes, password reset is not invalidating sessions
In our application, once a user click on reset password button, we call Authentication API to send a reset password link on his email. While user is resetting password from link he received in email, suppose he had previously logged in to other 2-3 systems/devices/browsers, and he resets his password. In current scenario, user can still use all those logged in sessions and continue his work even though he had logged in with old credentials.
This is a potential security threat. If user forgets to logout from any public system, then his data would get compromised. What we want is that after he resets his password from link in email, his auth0 session should be invalidated and he should logout from all the systems.
P.S.: We took guidance from here to use Authentication API to send password reset email link to user.
Is the issue that the access token/id token is cached? There is no easy way to revoke or invalidate these tokens, as they are stateless. You can shorten the lifetimes so they are only valid for 5 minutes for example.
It’s hard to see where the issue here is, because logout isn’t a single event. There is the Auth0 session, which exists as a cookie and that cookie should be invalidated automatically on PW change, there is the application session, which is a completely seperate layer, and there is also the IDP session, which may or may not be auth0 depending on your connection, you may also not want to log the user out of this session if it is google for instance.
The main question here is what session is not being invalidated? Is there an access token or ID token that is lingering and shortening the lifetime would solve this? Or is this a bug and the auth0 cookie is not being invalidated.
Hi @dan.woda,
Apologies for late reply. Was stuck in one of the feature completion. Thanks for your guidance.
We didn’t use IDP or Application session so there was no question of those 2 sessions. I checked that in settings, ID token expiration time was 3600 seconds and so changed it to shorter lifetime and everything seems to work fine now.
However, I have 2 questions to completely clarify the matter:
-
Case 1: I changed ID expiration time to 1 second for testing purpose. I logged in with chrome and firefox. In chrome, I used the reset password link and updated the password. Now, I continue working in older tabs in both browsers. In case of chrome, it is working normally in old tab while in firefox it logs out. Does that mean that when I reset password from a browser then auth0 would invalidate and store new ID token in that browser?
-
Case 2: I had previous setting of 3600 seconds of ID token expiration time. Like case 1, I logged in with both browsers, reset password in chrome and start using application from same old tabs. I am able to access everything in mozilla also as I have an ID expiration time of 3600 seconds. Now, when I hit refresh, it logs out in mozilla but not in chrome. Because auth0 cookie is invalidated? Is it the case?
Thanks In Advance