Does api/logout revoke the bearer/refresh token?
-
Does
api/logoutrevoke the bearer/refresh token?https://fusionauth.io/docs/v1/tech/apis/login/#logout-a-user
-
The short answer is no, it does not.
-
The link you mention in your first post (https://fusionauth.io/docs/v1/tech/apis/login/#logout-a-user) has the following paragraph.
"The refresh token is only revoked if the request contains the refresh_token cookie or the refreshToken request parameter."
Does that not mean that, if you supply the refreshToken request parameter, then logout will revoke it?
-
Hello again!
Yes, this is how I read that as well from the documentation. You could also test that logout is enforcing the behavior that you are seeking by using the browser console to check for cookies. Or if not storing the token in cookies, checking the relevant location and/or behavior to ensure that the user's refresh/access tokens are properly removed/invalidated.
Based on the documentation, you should provide the
refreshTokenin the request to invalidate, as seen below:
Thanks,
JoshRelated Links
https://fusionauth.io/community/forum/topic/270/logout-questions/5