8

I using access tokens and refresh tokens to authenticate my users for my asp.net core 2 api.

When a user physically clicks the logout button, I clear the local storage that contains the access token and refresh token.

But I am wondering if I should do an extra call and delete the refresh token as well.

Joe
  • 41,484
  • 20
  • 104
  • 125
chobo2
  • 83,322
  • 195
  • 530
  • 832
  • Yes you should. Because after logout when the user will login a new access token with a new refresh token will be issued. In that case, you should not keep your refresh token. Because whether you delete or not, on next login refresh token will be issued again (if your grant allows). – Shaharia Azam Jul 19 '18 at 18:32
  • Yea, essentially the old one will be come a orphan refresh token, which I guess could open a slight security hole as is theory someone could get that token. Though there still could be times(like localstorage was clear) so I might still have orphan tokens. Should I just have a cleanup task for those? – chobo2 Jul 19 '18 at 18:47

1 Answers1

0

Yes I guess you should. There has been lots of different opinions about that to clear the old refresh tokens or keep as much as it can stays fresh. Actually the primary intentions was to keep refresh token was you can re-use them later. But still if people logout by hitting the button, then you can cleanup those refresh token.

But if you want to keep them on your site more longer without re-login, you can re-issue access token with refresh token. So the user's auth token will be more longer valid. But if user want to logout by themselves, then you should clean that up and store again on their next login.

Shaharia Azam
  • 1,948
  • 19
  • 25
  • Well I thought the main reason was so you can have short access tokens and have basically away to revoke people if they needed, but I seen people who say refresh tokens should never expire and some who say they should. I am leaning towards that they should eventually die. – chobo2 Jul 19 '18 at 18:55
  • According to RFC, it's best to rotate or invalidate refresh token. Otherwise people can abuse refresh token if keep them indefinitely. – Shaharia Azam Jul 19 '18 at 19:00
  • 1
    Well I invalidate the refresh token once it used, if it used then it is deleted and a new one is generated. It is just what to do with ones that maybe a orphan and how to decide when it is a orphan. – chobo2 Jul 19 '18 at 19:06