Should Refresh Tokens Be Deleted on Logout?

About

Asked 19/7, 2018 at 18:28 Answered 19/7, 2018 at 18:51

Solved authentication asp.net-core refresh-token

I using access tokens and refresh tokens to authenticate my users for my asp.net core 2 api.

When a user physically clicks the logout button, I clear the local storage that contains the access token and refresh token.

But I am wondering if I should do an extra call and delete the refresh token as well.

Elephus answered 19/7, 2018 at 18:28 Comment(2)

Yes you should. Because after logout when the user will login a new access token with a new refresh token will be issued. In that case, you should not keep your refresh token. Because whether you delete or not, on next login refresh token will be issued again (if your grant allows). – Dowell 19/7, 2018 at 18:32

Yea, essentially the old one will be come a orphan refresh token, which I guess could open a slight security hole as is theory someone could get that token. Though there still could be times(like localstorage was clear) so I might still have orphan tokens. Should I just have a cleanup task for those? – Elephus 19/7, 2018 at 18:47

Yes I guess you should. There has been lots of different opinions about that to clear the old refresh tokens or keep as much as it can stays fresh. Actually the primary intentions was to keep refresh token was you can re-use them later. But still if people logout by hitting the button, then you can cleanup those refresh token.

But if you want to keep them on your site more longer without re-login, you can re-issue access token with refresh token. So the user's auth token will be more longer valid. But if user want to logout by themselves, then you should clean that up and store again on their next login.

Dowell answered 19/7, 2018 at 18:51 Comment(3)

Well I thought the main reason was so you can have short access tokens and have basically away to revoke people if they needed, but I seen people who say refresh tokens should never expire and some who say they should. I am leaning towards that they should eventually die. – Elephus 19/7, 2018 at 18:55

According to RFC, it's best to rotate or invalidate refresh token. Otherwise people can abuse refresh token if keep them indefinitely. – Dowell 19/7, 2018 at 19:0

Well I invalidate the refresh token once it used, if it used then it is deleted and a new one is generated. It is just what to do with ones that maybe a orphan and how to decide when it is a orphan. – Elephus 19/7, 2018 at 19:6

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags