Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Logout doesn't revoke the refresh token(s) #1320

Open
6 tasks done
RobPethick opened this issue Nov 8, 2024 · 1 comment
Open
6 tasks done

Logout doesn't revoke the refresh token(s) #1320

RobPethick opened this issue Nov 8, 2024 · 1 comment
Labels
bug This points to a verified bug in the code

Comments

@RobPethick
Copy link

Checklist

Description

I have seen the discussion here: #1013. And the recommendation there to just get a new refresh token and then forgetting it. This isn't a correct solution for me, this will fail our security reviews. Refresh tokens should be revoked when they are done with.

In my book we shouldn't expose a revoke token method but instead we should add it to the logic within the logout method as that is the only time a client would revoke the refresh token

Reproduction

  1. Copy refresh token
  2. Logout
  3. Use refresh token
  4. Expected: refresh token can't be used, Actual: refresh token still useable

Additional context

I would be really happy to submit a PR for this improvement

auth0-spa-js version

2.1.3

Which framework are you using (React, Angular, Vue...)?

React (wrapping auth0-spa-js)

Framework version

No response

Which browsers have you tested in?

Chrome, Firefox

@RobPethick RobPethick added the bug This points to a verified bug in the code label Nov 8, 2024
@Rendez
Copy link

Rendez commented Feb 14, 2025

+1

This could be considered a security issue if a refresh token were to be stolen, for instance by sniffing window.fetch, and would give the attacker the ability to generate new access tokens until the refresh token expires.

For what I see in the code, a POST request to /oauth/revoke should be issued, all is needed is the client id and the refresh token, but the latter isn't exposed, so we can't do it from the outside manually, it has to be within the logout() call, see:

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
bug This points to a verified bug in the code
Projects
None yet
Development

No branches or pull requests

2 participants