1

I am using the /oauth2/logout endpoint to log a user out of fusionauth as described here.

I know that the JWT will be valid till it expires and we can use webhooks to invalidate it if needed before expiry. But do we need to explicitly expire any refresh token issued to the user or does fusionauth automatically invalidates them?

stariqmi
  • 113
  • 1
  • 7

1 Answers1

3

The OAuth2 core specification doesn't include token revocation. But revoking tokens has been specified through an "extension" to the standard (see RFC7009).

The thing is, API providers generally don't include a URL in their API to handle token revocation. They mostly rely on access_token expiration.

With this said, as per FusionAuth only, I've found this issue that explain why it's not broadly supported.

Frenchcooc
  • 910
  • 6
  • 20
  • Thank you @frenchcooc that link gave me the answer I needed. – stariqmi Dec 02 '19 at 19:16
  • 2
    @frenchcooc is correct. FusionAuth doesn't revoke refresh tokens during a logout. However, your application can remove them from the client (browser, mobile, etc) when FusionAuth calls your logout URL. You can also call the JWT revoke API in FusionAuth to delete the refresh tokens as well. – voidmain Dec 03 '19 at 00:41