Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revoke Refresh Token on Logout #685

Closed
5 tasks done
devzeze opened this issue Sep 4, 2023 · 2 comments
Closed
5 tasks done

Revoke Refresh Token on Logout #685

devzeze opened this issue Sep 4, 2023 · 2 comments
Labels
feature request A feature has been asked for or suggested by the community

Comments

@devzeze
Copy link

devzeze commented Sep 4, 2023

Checklist

  • I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
  • I have looked into the API documentation and have not found a suitable solution or answer.
  • I have searched the issues and have not found a suitable solution or answer.
  • I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

There is a request for this feature in Auth0 Community but since this can be a security issue I think it should be discussed here also.

https://community.auth0.com/t/revoke-refresh-token-on-logout/80698

As it is stated:
This leaves it available for use if it is compromised on the client-side or in transit. The revoke refresh token endpoint can be called, separately, but it would be good to remove the refresh token for the device on logout.

Describe the ideal solution

Refresh token is revoked during logout.

Alternatives and current workarounds

We can call the endpoint to revoke the refresh token directly but this is a big limitation of the SDK and can lead to security issues since many users might not implement it.

https://auth0.com/docs/secure/tokens/refresh-tokens/revoke-refresh-tokens

Additional context

No response
@devzeze devzeze added the feature request A feature has been asked for or suggested by the community label Sep 4, 2023
@devzeze
Copy link
Author

devzeze commented Sep 5, 2023

This makes even more sense since it is already supported on iOS.

https://auth0.github.io/Auth0.swift/documentation/auth0/credentialsmanager/
auth0/Auth0.swift#312

[func revoke(headers: [String : String]) async throws] Calls the /oauth/revoke endpoint to revoke the refresh token and then clears the credentials if the request was successful. Otherwise, the credentials are not cleared and an error is thrown.

@devzeze
Copy link
Author

devzeze commented Sep 5, 2023

Noticed now this can be done with a different class:

AuthenticationAPIClient

https://github.com/auth0/Auth0.Android/blob/main/auth0/src/main/java/com/auth0/android/authentication/AuthenticationAPIClient.kt

/**
 * Request the revoke of a given refresh_token. Once revoked, the refresh_token cannot be used to obtain new tokens.
 * Your Auth0 Application Type should be set to 'Native' and Token Endpoint Authentication Method must be set to 'None'.
 *
 * Example usage:
 *
 * ```
 * client.revokeToken("{refresh_token}")
 *     .start(object: Callback<Void?, AuthenticationException> {
 *         override fun onSuccess(result: Void?) { }
 *         override fun onFailure(error: AuthenticationException) { }
 * })
 * ```
 *
 * @param refreshToken the token to revoke
 * @return a request to start
 */
public fun revokeToken(refreshToken: String)

@devzeze devzeze closed this as completed Sep 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request A feature has been asked for or suggested by the community
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@devzeze