Unable to revoke refresh tokens

I am trying to follow the guide revoke refresh tokens.

My goal is to create a button in my SPA which says “Logout of all sessions”. When pressed, all refresh tokens should be revoked, effectively forcing a user to re-login, however access tokens will of course still be usable until they expire.

The guide says that I should be able to go to Dashboard → User Management → Users → <my_user> → Authorized Applications and then press “revoke”.

However, when I do this and then refresh my browser window, the SPA is still able to authenticate and get an access token.

I have also tried to delete all device-credentials in the Management API. However, when calling
GET /api/v2/device-credentials?type=refresh_token&user_id=<my_user>
or
GET /api/v2/device-credentials?type=rotating_refresh_token&user_id=<my_user>
, I am receiving an empty list, so I am unable to remove the device credentials.

Hi @ViktorWb,

Welcome to the Auth0 Community!

I understand you are trying to revoke refresh tokens and have your users logged out of all sessions.

After testing this myself, I can confirm that you can revoke refresh tokens using the Auth0 Dashboard.

Moreover, when refreshing the browser, I noticed the same authorization code in the response when doing a network trace. Subsequent refreshes also produced the same authorization code, and when using the code for the first time, but after being revoked, the authorization code cannot be exchanged for an Access Token.

So far, everything looks good! However, I believe you will need to do one more step to log your users out from all sessions and have them re-authenticate.

To do so, I recommend calling the Management API’s Logout endpoint.

Please see our Log Users Out of Applications documentation to learn more.

If you have any additional questions, please reach out!

Thanks.

1 Like