Greetings.
I am developing a REST application that handles…well…lots of stuff. We use Auth0 to login and manage organizations, users, and authentication in general.
In order to keep our application user-friendly, we implement all sorts of endpoints to manage the authentication process.
And here comes my question:
When I am trying to revoke a refresh token, if said token does not exist the AuthAPI returns a successful operation, instead of having an error. That causes the response to not being accurate, while the desired outcome (the removal of said refresh token) is achieved, we would want to add a failure message when the refresh token doesn’t exist.
However…in AuthAPI (Auth0 Java SDK) we don’t see a method to verify if a refresh token is valid, or even if we can obtain a refresh token at all (not a new refresh token, an existing one).
I tried the following…
try
{
final AuthAPI authAPI = new AuthAPI(yada, yada, yada);
authAPI.renewAuth(refreshToken);
authAPI.revokeToken(refreshToken).execute();
}
catch (APIException ex)
{
log.error(ex);
if (ex.getStatusCode() == HttpStatus.FORBIDDEN.value())
throw new ForbiddenAccessException(ex.getDescription());
}
catch (Auth0Exception ex)
{
log.error(ex);
throw new InternalServerErrorException("Unable to revoke the token");
}
This works when the token does not exist but creates a completely different one when we try to revoke an existing token… which does not fulfill the purpose of the method.
Any Ideas??