FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Handling Access Token Revocation After Logout in FusionAuth

    Scheduled Pinned Locked Moved Solved
    Q&A
    1
    2
    58
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wesley
      last edited by

      It appears that calling the /oauth2/logout endpoint does not invalidate the access token.

      Steps to Reproduce:

      1. Complete the OIDC flow and retrieve an access token.
      2. Validate the token using the /oauth2/introspect and /oauth2/userinfo endpoints.
      3. Call /oauth2/logout, passing the tenant ID and client ID, with the access token included as a cookie or in the Authorization header.
      4. After logout, call the /oauth2/userinfo or /oauth2/introspect endpoints again and observe that the access token still validates.

      Is this expected behavior, and how can we fully revoke an access token on logout?

      W 1 Reply Last reply Reply Quote 0
      • W
        wesley @wesley
        last edited by

        Yes, this is expected behavior because access tokens cannot be revoked by default.

        Why /oauth2/logout Doesn’t Invalidate Access Tokens:

        • Access tokens are stateless and do not require real-time validation with FusionAuth after issuance.
        • For this reason, access tokens are typically short-lived, reducing security risks.
        • Logout via /oauth2/logout only removes the SSO cookie and does not affect issued tokens.

        How to Handle Token Revocation:

        1. Use Short-Lived Access Tokens
          • The recommended approach is to issue short expiration times for access tokens and rely on refresh tokens for continued access.
        2. Implement a Token Revocation Strategy
          • If you need a way to invalidate access tokens, consider implementing a denylist-based revocation workflow.
          • FusionAuth provides guidance on how to do this: Revoking JWTs in FusionAuth
        3. Ensure Full Logout by Removing All Session Identifiers
          • If the user is also authenticated via a refresh token or other session identifiers, these must be explicitly removed to fully log out the user.
          • FusionAuth provides more details in:
            Logout Endpoint Documentation
            User Sessions in FusionAuth

        Summary

        By default, access tokens remain valid until expiration, even after logging out. To ensure access is revoked immediately, you will need to either implement a denylist mechanism or rely on short-lived tokens with refresh token workflows.

        1 Reply Last reply Reply Quote 0
        • W wesley has marked this topic as solved
        • First post
          Last post