Revoking Refresh Token does Not Trigger Backchannel Session Logout

Single Sign-OnSessions

Last Updated:

Overview

Why does the Auth0 session not expire if a refresh token is revoked? This question is in the context of the Back Channel Logout specification. 

This is detailed in the OIDC Back-Channel Logout documentation.

The scenario tested is as follows:

  • Configure the Backchannel logout for a specific application.
  • Login, including the "offline_access" scope, to get a refresh token.
  • Once the refresh token is created, revoke it.

As a result, no request is received on the Backchannel Logout Endpoint, so the Auth0 session is not terminated.

Applies To

  • Refresh Token
  • Session Logout

Cause

The Auth0 session is not terminated because in order to trigger the Back-Channel Logout and terminate the session, the Back-Channel Logout Initiators must be configured.

Solution

To trigger the Back-Channel Logout and terminate the session, the Back-Channel Logout Initiators must be configured. This is detailed in the OIDC Back-Channel Logout Initiators documentation. 

A set of triggers can be used to trigger the session termination. These can be indicated in the  properties of the backchannel_logout_initiators object when making a call to the endpoint of the Management API 
PATCH /api/v2/clients/{yourClientId} 
 

This is detailed in the Properties section of the OIDC Back-Channel Logout Initiators documentation. 

Only the following values are supported:

  • rp-logout
  • idp-logout
  • password-changed
  • session-expired
  • account-deleted
  • email-identifier-changed

Recommended content

No recommended content found...
Need more help? Visit the Community
Visit the Auth0 Community