• Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login
FusionAuth
  • Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login

Handling Access Token Revocation After Logout in FusionAuth

Scheduled Pinned Locked Moved Solved
Frequently Asked Questions (FAQ)
1
2
1.5k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • W
    wesley
    last edited by 19 Feb 2025, 22:30

    It appears that calling the /oauth2/logout endpoint does not invalidate the access token.

    Steps to Reproduce:

    1. Complete the OIDC flow and retrieve an access token.
    2. Validate the token using the /oauth2/introspect and /oauth2/userinfo endpoints.
    3. Call /oauth2/logout, passing the tenant ID and client ID, with the access token included as a cookie or in the Authorization header.
    4. After logout, call the /oauth2/userinfo or /oauth2/introspect endpoints again and observe that the access token still validates.

    Is this expected behavior, and how can we fully revoke an access token on logout?

    W 1 Reply Last reply 19 Feb 2025, 22:41 Reply Quote 0
    • W
      wesley @wesley
      last edited by 19 Feb 2025, 22:41

      Yes, this is expected behavior because access tokens cannot be revoked by default.

      Why /oauth2/logout Doesn’t Invalidate Access Tokens:

      • Access tokens are stateless and do not require real-time validation with FusionAuth after issuance.
      • For this reason, access tokens are typically short-lived, reducing security risks.
      • Logout via /oauth2/logout only removes the SSO cookie and does not affect issued tokens.

      How to Handle Token Revocation:

      1. Use Short-Lived Access Tokens
        • The recommended approach is to issue short expiration times for access tokens and rely on refresh tokens for continued access.
      2. Implement a Token Revocation Strategy
        • If you need a way to invalidate access tokens, consider implementing a denylist-based revocation workflow.
        • FusionAuth provides guidance on how to do this: Revoking JWTs in FusionAuth
      3. Ensure Full Logout by Removing All Session Identifiers
        • If the user is also authenticated via a refresh token or other session identifiers, these must be explicitly removed to fully log out the user.
        • FusionAuth provides more details in:
          Logout Endpoint Documentation
          User Sessions in FusionAuth

      Summary

      By default, access tokens remain valid until expiration, even after logging out. To ensure access is revoked immediately, you will need to either implement a denylist mechanism or rely on short-lived tokens with refresh token workflows.

      1 Reply Last reply Reply Quote 0
      • W wesley has marked this topic as solved on 19 Feb 2025, 22:41
      • M mark.robustelli moved this topic from Q&A on 28 Mar 2025, 19:09
      1 out of 2
      • First post
        1/2
        Last post