Session token remains active after logout

nishant

Hi,

I'm implementing authentication using FusionAuth. I've defined an oauth_callback route which gets called on a successful login. In this route, I call the /oauth2/token endpoint from FusionAuth API passing the necessary arguments and I'm able to retrieve an access_token.

I have another route, validate_token, that calls the oauth2/introspect endpoint from the FusionAuth API and I'm able to check the validity of the above token by looking at the active field in response. The problem is active is returned as true even after I logout. Am I missing something or doing something wrong?

Appreciate the help!

Cheers,
-- N.

nishant

Heya @dan, do you have any advice on this issue?

dan

Hiya,

This JWT is valid because the JWT is not expired. You can't revoke a JWT by logging out because they are stateless. Here's more information about how revoking JWTs: https://fusionauth.io/learn/expert-advice/tokens/revoking-jwts

This is one of the reasons why we recommend storing a JWT in a server side session, so that removing the session (on logout) removes the JWT. More here: https://fusionauth.io/learn/expert-advice/authentication/webapp/oauth-authorization-code-grant-sessions

Does that help?