Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Currently it is Impossible to get Refresh Token to revoke it #1013

Closed
mikhail-slauth opened this issue Oct 4, 2022 · 3 comments
Closed

Currently it is Impossible to get Refresh Token to revoke it #1013

mikhail-slauth opened this issue Oct 4, 2022 · 3 comments
Labels
feature request A feature has been asked for or suggested by the community needs investigation An issue that has more questions to answer or otherwise needs work to fully understand the issue

Comments

@mikhail-slauth
Copy link

Currently it is Impossible to get current Refresh Token to revoke it

I need to revoke Refresh Token on log out (see https://auth0.com/docs/secure/tokens/refresh-tokens/revoke-refresh-tokens), but this is not possible, because I can't get it anyhow via current api. For some reasons refresh_token is omitted from getAccessTokenSilently method (see https://github.com/auth0/auth0-spa-js/blob/master/src/global.ts#L641).

Possible solutions

Implement dedicated method revokeRefreshToken which will revoke current refresh token according to doc in https://auth0.com/docs/secure/tokens/refresh-tokens/revoke-refresh-tokens
@mikhail-slauth mikhail-slauth added the feature request A feature has been asked for or suggested by the community label Oct 4, 2022
@adamjmcgrath adamjmcgrath mentioned this issue Oct 5, 2022
Closed
@frederikprijck
Copy link
Member

frederikprijck commented Oct 5, 2022
edited
Loading

Thank you for reaching out!

This is a fair request, as we do not offer a way for you to revoke refresh tokens. This is something we would want to look into and see if and how we can improve to acomodate for this.

I will raise this within our team to have a conversation about this, and if/how we could best offer a solution for this.

@frederikprijck frederikprijck added the needs investigation An issue that has more questions to answer or otherwise needs work to fully understand the issue label Oct 5, 2022
@ormagomy
Copy link

I would like to add my support for this request. I recently reached out to Auth0 support requesting this same functionality, but just now saw this issue/feature request. We are currently working around this with a manual, hacky solution. I would much prefer to have a built-in, supported way to either get the refresh token, revoke the refresh token, or both.

@ewanharris
Copy link
Contributor

ewanharris commented May 9, 2023
edited
Loading

Hey @mikhail-slauth, thanks again for opening this issue.

We’ve investigated the feasibility of supporting refresh token revocation directly in this SDK and have decided that, for now, we won’t implement an API for it given that there is a solution for this already (outlined below), and this SDKs support for multiple audiences and scopes there could be some confusion around the API.

For now, our recommendation would be that if a refresh token revocation is required to call getTokenSilently({ ignoreCache: true }). Combined with the use of rotating refresh tokens, this will invalidate the previous refresh token ensuring it cannot be used again.

We will definitely continue to consider this request in future however.

@RobPethick RobPethick mentioned this issue Nov 8, 2024
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request A feature has been asked for or suggested by the community needs investigation An issue that has more questions to answer or otherwise needs work to fully understand the issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ormagomy @frederikprijck @ewanharris @mikhail-slauth