Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Is there a way to revoke both refresh token and access token when logout?
See original GitHub issueI create both refresh token and access token when login. However, when logout, those tokens should be revoked at the same time, without affecting other tokens owned by the user. I look at the doc. Like:
# Endpoint for revoking the current users access token
@app.route('/logout', methods=['POST'])
@jwt_required
def logout():
try:
_revoke_current_token()
except KeyError:
return jsonify({
'msg': 'Access token not found in the blacklist store'
}), 500
return jsonify({"msg": "Successfully logged out"}), 200
# Endpoint for revoking the current users refresh token
@app.route('/logout2', methods=['POST'])
@jwt_refresh_token_required
def logout2():
try:
_revoke_current_token()
except KeyError:
return jsonify({
'msg': 'Refresh token not found in the blacklist store'
}), 500
return jsonify({"msg": "Successfully logged out"}), 200
Is there a way to revoke both?
Issue Analytics
- State:
- Created 6 years ago
- Reactions:3
- Comments:14 (5 by maintainers)
Top Results From Across the Web
Revoke Refresh Token on Logout - Auth0 Community
Description: When a user logs out of a SPA, calling the logout endpoint does not revoke the refresh token. This leaves it available...
Read more >Should I revoke the access token on logout from client
You can revoke a refresh token using OAuth2 Token Revokation ( https://www.ory.sh/docs/hydra/sdk/api#revoke-oauth2-tokens ) which will revoke ...
Read more >oAuth Logout and revoking the tokens
The only clarification I will make is that if you revoke the refresh token, then the access token will be revoked as well....
Read more >Should Refresh Tokens Be Deleted on Logout? - Stack Overflow
Yes you should. Because after logout when the user will login a new access token with a new refresh token will be issued....
Read more >OAuth revoke all issued token on user logout
In OAuth, there is no way to revoke an Access Token. This is why they should be short-lived.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Running into the same issue here. I don’t want to store anything about tokens on the server other than blacklisted token ids in Redis. My current solution is to embed a reference to the refresh token id inside the access token. By doing so, I am able to blacklist both token’s id’s on logout. Not sure if this violates any JWT principles but it’s the best I could come up with.
Yeah, this was is honestly some great information that could probably use more exposure. If someone wants to update the docs/examples to highlight how this could be done I would very much welcome a pull request 👍