FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Issues with multi-tenant refresh token revocation and custom JWT signing

    Scheduled Pinned Locked Moved
    General Discussion
    2
    2
    16
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michaelginn529
      last edited by

      I’m working on a multi-tenant FusionAuth setup where each tenant has its own applications and signing keys. Everything works fine for login and access tokens, but I’m running into problems with refresh token revocation.

      Tenant A and Tenant B both issue refresh tokens with custom JWT signing (ES256).

      When I revoke a refresh token in Tenant A, sometimes the access token issued by Tenant B (with the same userId but different client) is also invalidated.

      I’ve checked that tenants use separate signing keys, but FusionAuth seems to still treat the session globally.

      How can I isolate refresh token/session revocation strictly per-tenant?

      This feels like a misconfiguration on my end, but I can’t figure out what setting controls tenant-specific revocation.

      mark.robustelliM 1 Reply Last reply Reply Quote 0
      • mark.robustelliM
        mark.robustelli @michaelginn529
        last edited by

        @michaelginn529 What do you have your "Logout behavior" set to for the application? Any other specific configuration you can share would help as well.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post