Authorization Code Flow (Token Invalidation) in Auth0

Security business menu

Security business
HOME

To be elected
cause

Service

Handling Manufacturer

Examples/reports/
Blog/Glossary

Seminar/
video on demand

TOP

Products/Services

product
- Okta Workforce Identity Cloud
- Okta Customer Identity Cloud

Specifications/Technical Information

Specifications/Technical Information
- Workforce Identity Cloud Basic Setup Behavior Guide
- Customer Identity Cloud (Auth0) basic setup behavior guide

solution

solution
- Okta Solutions - Zero Trust with Okta

User stories

support

- Macnica Support

Seminar content

Document request

inquiry

Event/Seminar

video on demand

Okta

Octa

Introduction

Auth0 supports various authentication and authorization flows such as Authorization Code Flow, Authorization Code Flow with PKCE (Proof Key for Code Exchange) and Implicit Flow defined in OAuth2.0 (RFC6749). By using Auth0 or the SDK provided by Auth0, you can easily implement each flow.
When invalidating the issued token to stop access to the resource side for security reasons, Auth0 can invalidate only the refresh token. Assuming that the expiration date of the access token is shortened, invalidating the latest refresh token makes it impossible to obtain a new access token. After that, the access token will expire and you will not be able to access the resource.

There are four ways to revoke refresh tokens in Auth0:

A) Operations on the Auth0 management screen
Disable based on authorization for target user, application, and audience
B) Management API: /api/v2/grants/{id}
Disable based on authorization for target user, application, and audience
C) Authentication API: /oauth/revoke
Invalidate based on target refresh token
D) Management API: /api/v2/device-credentials/{id}
Disable based on target user, device credentials of Application

On this page, we use Authentication Code Flow (RFC6749 4.1) as an example to confirm the token invalidation operation in Auth0. For confirmation, we will introduce the necessary Auth0 settings and the specific procedure for invalidating the refresh token.

premise

The information on functions and settings described on this page is current as of March 2023.

preset

Please check the following for the necessary pre-settings on the Auth0 side when obtaining a refresh token in the Authorization Code Flow.

Authorization Code Flow (refresh token) in Auth0

Also, please check the following settings when confirming refresh token invalidation.

In the Settings > Advanced tab, Refresh Token Revocation Deletes Grant is disabled (default setting)

supplement

Deactivation method C) changes the deactivation range.

Disabled: Only refresh tokens specified as invalidation targets are invalidated
Enabled: Invalidates not only the refresh token specified for invalidation, but also other refresh tokens associated with the same combination of user, application, and audience.

Confirmation procedure overview

Take the Authorization Code Flow as an example to check the refresh token invalidation procedure in Auth0. The overview of the confirmation procedure is as follows.

Request an authorization code from the Auth0 /authorize endpoint
Authentication screen display by Auth0: Perform user authentication
Transition to the redirect destination specified in 1.: Check the authorization code from the URL
Access Auth0 /oauth/token endpoint and get access token, ID token and refresh token
Check the acquired access token and ID token
Access the Auth0 /oauth/token endpoint using the refresh token obtained in 4. and reacquire the ID token and access token
Check the reacquired access token and ID token
Invalidate the refresh token obtained in 6.
Confirm that the access token cannot be reacquired using the invalidated refresh token

Confirmation procedure

1. Request authorization code from Auth0 /authorize endpoint
Access the following URL with a web browser

https://<YOUR_AUTH0_TENANT_NAME>.<REGION_DOMAIN>.auth0.com/authorize?audience=https://example.com&response_type=code&scope=openid profile email offline_access&client_id=8XVChmTIfdfYdqHSrHW3meOxGtds6iiS&redirect_uri=https://example.com

supplement

<YOUR_AUTH0_TENANT_NAME>: Auth0 tenant name
<REGION_DOMAIN>: Auth0 tenant region name
audience=https://example.com: Identifier of the API setting in the pre-configuration
response_type=code&scope=openid: use Authorization Code Flow + get ID token
scope=offline_access: get refresh token
client_id: Client ID of Application settings in the preset
redirect_uri: Redirect destination URL after authentication is completed

2. Authentication screen display by Auth0: Perform user authentication

3. Transition to the redirect destination specified in 1.: Check the authorization code from the URL

https://example.com/?code=tpP_z1EYtGiHy4zOb_lysQKfX7n5jkfOjmpJL1NTN1mwA

4. Access Auth0 /oauth/token endpoint and get access token, ID token and refresh token

> curl -X POST --url 'https://<YOUR_AUTH0_TENANT_NAME>.<REGION_DOMAIN>.auth0.com/oauth/token' --header 'content-type: application/x-www-form-urlencoded' --data 'grant_type=authorization_code&client_id=8XVChmTIfdfYdqHSrHW3meOxGtds6iiS&client_secret=sp53lHTcaRUjyogn7veTj0mpE0zt6IAQ8D9fLNaMYZFX3uaoaLAg0-D5EmW8m6_d&code=tpP_z1EYtGiHy4zOb_lysQKfX7n5jkfOjmpJL1NTN1mwA&redirect_uri=https://example.com'

supplement

grant_type=authorization_code: use Authorization Code Flow
client_id: Client ID of Application settings in the preset
client_secret: Client Secret of the Application setting in the pre-configuration
code: Authorization code obtained in 3.

Acquisition result

{
	"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6Ikp...(略)...qvVPSppORhoOjSQLj170Q",
	"refresh_token":"v1.MUKtIl2YJGb7zr8miZ0W0i6Sp...(略)...gIMhDd6b4OcBQu2qBTuGI",
	"id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCI...(略)...Bwf8epG61vPgTk5oQ9p7A",
	"scope":"openid profile email offline_access",
	"expires_in":86400,
	"token_type":"Bearer"
}

5. Confirm the acquired access token and ID token
Decode access token and ID token at jwt.io

Access token decoding result

{
	"iss": "https://..auth0.com/",
	"sub": "auth0|63edd8308f9c50bfb575e326",
	"aud": [
	"https://example.com",
	"https://..auth0.com/userinfo"
	],
	"iat": 1677565426,
	"exp": 1677651826,
	"azp": "8XVChmTIfdfYdqHSrHW3meOxGtds6iiS",
	"scope": "openid profile email offline_access"
}

ID token decoding result

{
	"nickname": "xxxxxxxx",
	"name": "xxxxxxx@xxxxxxxx.co.jp",
	"picture": "https://s.gravatar.com/avatar/24b5f30a0fe65625e5afb...(略)...%2Fim.png",
	"updated_at": "2023-02-28T06:19:01.349Z",
	"email": "xxxxxxx@xxxxxxxx.co.jp",
	"email_verified": true,
	"iss": "https://..auth0.com/",
	"sub": "auth0|63edd8308f9c50bfb575e326",
	"aud": "8XVChmTIfdfYdqHSrHW3meOxGtds6iiS",
	"iat": 1677565426,
	"exp": 1677601426,
	"sid": "wR4eASabw79mKLy2Rgfk5LzPy8gpuwlY"
}

6. Use the refresh token obtained in 4. to access the Auth0 /oauth/token endpoint and reacquire the ID token and access token

> curl -X POST --url 'https://<YOUR_AUTH0_TENANT_NAME>.<REGION_DOMAIN>.auth0.com/oauth/token' --header 'content-type: application/x-www-form-urlencoded' --data 'grant_type=refresh_token&client_id=8XVChmTIfdfYdqHSrHW3meOxGtds6iiS&client_secret=sp53lHTcaRUjyogn7veTj0mpE0zt6IAQ8D9fLNaMYZFX3uaoaLAg0-D5EmW8m6_d&refresh_token= v1.MUKtIl2YJGb7zr8 miZ0W0i6Sp...(abbreviated)...gIMhDd6b4OcBQu2qBTuGI &redirect_uri=https://example.com'

supplement

grant_type=refresh_token: Token reacquisition by refresh token
client_id: Client ID of Application settings in the preset
client_secret: Client Secret of the Application setting in the pre-configuration
refresh_token: Refresh token obtained in 4.

Acquisition result

{
	"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6Ikp...(略)...qrPFWEhjYOiky3uUTwk-lGSg",
	"refresh_token":"v1.MkKtIl2YJGb7zr8miZ0W0i53wu...(略)...q4-HWZ3vdMI6JjaD5rDxNk",
	"id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCI...(略)...sDIbq9qg9Bzg3kcWk8cEWw",
	"scope":"openid profile email offline_access",
	"expires_in":86400,
	"token_type":"Bearer"
}

supplement

By enabling the refresh token rotation function (default: enabled), a new refresh token will be returned when the access token is reacquired using the refresh token.
Refresh Token Rotation - Auth0 docs

7. Check the reacquired access token and ID token
Decode the access token and ID token on jwt.io and confirm that the issuance (iat claim) and expiration date (exp claim) are different from the confirmation result in 5.

Decode result of reacquired access token

{
	"iss": "https://..auth0.com/",
	"sub": "auth0|63edd8308f9c50bfb575e326",
	"aud": [
	"https://example.com",
	"https://..auth0.com/userinfo"
	],
	"iat": 1677565856,
	"exp": 1677652256,
	"azp": "8XVChmTIfdfYdqHSrHW3meOxGtds6iiS",
	"scope": "openid profile email offline_access"
}

Decode result of reacquired ID token

{
	"nickname": "xxxxxxxx",
	"name": "xxxxxxx@xxxxxxxx.co.jp",
	"picture": "https://s.gravatar.com/avatar/24b5f30a0fe65625e5afb...(略)...%2Fim.png",
	"updated_at": "2023-02-28T06:19:01.349Z",
	"email": "xxxxxxx@xxxxxxxx.co.jp",
	"email_verified": true,
	"iss": "https://..auth0.com/",
	"sub": "auth0|63edd8308f9c50bfb575e326",
	"aud": "8XVChmTIfdfYdqHSrHW3meOxGtds6iiS",
	"iat": 1677565856,
	"exp": 1677601856
}

8. Invalidate the refresh token obtained in 6.

A) Operations on the Auth0 management screen

Click [User Management] > [Users]
Click the user associated with the refresh token to be invalidated
Click the Authorized Applications tab
Check the Application and Audience associated with the refresh token to be invalidated, and click the [Revoke] button.

Click the [Yes, Revoke] button on the confirmation screen

Click the [Yes, Revoke] button on the confirmation screen

Confirm that the disabled target has disappeared from the list

B) Management API：/api/v2/grants/{id}

Search active grants by user, application, audience as keys (GET: /api/v2/grants)

> curl -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5... (short)...T9XmWcw" https://<YOUR_AUTH0_TENANT_NAME>.<REGION_DOMAIN>.auth0.com/api/v2/grants? user_id =auth0%7C63edd8308f9c50bfb575e326\& client_id =8XVChmTIfdfYdqHSrHW3meOxGtds6iiS\& audience =https://example.com

supplement

user_id: User ID of the user to be invalidated
client_id: Client ID of the application to be disabled
audience: Audience to be disabled (Identifier in API settings)

Execution result

[
	{
		"user_id":"auth0|63edd8308f9c50bfb575e326",
		"audience":"https://example.com",
		"scope":["openid","profile","email","offline_access"],
		"clientID":"8XVChmTIfdfYdqHSrHW3meOxGtds6iiS",
		"id":"6430dbcc408feb3521dec7b7"
	}
]

Specify the invalidation target id and invalidate the refresh token (DELETE: /api/v2/grants/{id})

> curl -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5..(short)...T9XmWcw" -X DELETE https://<YOUR_AUTH0_TENANT_NAME>.<REGION_DOMAIN>.auth0.com/api/v2/grants/ 6430dbcc408feb3521dec7b7

C) Authentication API：/oauth/revoke

Specify refresh token value to invalidate and invalidate refresh token

> curl -X POST --url 'https://<YOUR_AUTH0_TENANT_NAME>.<REGION_DOMAIN>.auth0.com/oauth/revoke' --header 'content-type: application/json' --data '{ "client_id": "8XVChmTIfdfYdqHSrHW3meOxGtds6iiS", "client_secret": "sp53lHTcaRUjyogn7veTj0mpE0zt6IAQ8D9fLNaMYZFX3uaoaLAg0-D5EmW8m6_d", "token": "v1.MkKtIl2YJGb7zr8miZ0W0i53wu ...(omitted)...q4-HWZ3vdMI6JjaD5rDxNk" }

supplement

client_id: Client ID of the application to be disabled
client_secret: Client Secret of the application to be disabled
token: refresh token to invalidate

D) Management API：/api/v2/device-credentials/{id}

Find active device credentials using User, Application as keys (GET: /api/v2/device-credentials)

> curl -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5... (short)...T9XmWcw" https://<YOUR_AUTH0_TENANT_NAME>.<REGION_DOMAIN>.auth0.com/api/v2/device-credentials? user_id =auth0%7C63edd8308f9c50bfb575e326\ & client_id =8XVChmTIfdfYdqHSrHW3meOxGtds6iiS\& type =rotating_refresh_token

supplement

user_id: User ID of the user to be invalidated
client_id: Client ID of the application to be disabled
type=rotating_refresh_token: For refresh tokens with rotation enabled

Execution result

[
	{
		"id":"dcr_v7ElzV8tQhFebE4n",
		"device_name":"Chrome",
		"client_id":"8XVChmTIfdfYdqHSrHW3meOxGtds6iiS",
		"user_id":"auth0|63edd8308f9c50bfb575e326",
		"type":"rotating_refresh_token"
	}
]

② Specify the id to be invalidated and invalidate the refresh token (DELETE: /api/v2/device-credentials/{id})

> curl -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5..(short)...T9XmWcw" -X DELETE https://<YOUR_AUTH0_TENANT_NAME>.<REGION_DOMAIN>.auth0.com/api/v2/device-credentials/ dcr_v7ElzV8tQhFebE4n

9. Confirm that the access token cannot be reacquired using the invalidated refresh token

> curl -X POST --url 'https://<YOUR_AUTH0_TENANT_NAME>.<REGION_DOMAIN>.auth0.com/oauth/token' --header 'content-type: application/x-www-form-urlencoded' --data 'grant_type=refresh_token&client_id=8XVChmTIfdfYdqHSrHW3meOxGtds6iiS&client_secret=sp53lHTcaRUjyogn7veTj0mpE0zt6IAQ8D9fLNaMYZFX3uaoaLAg0-D5EmW8m6_d&refresh_token= v1.MkKtIl2YJGb7zr 8miZ0W0i53wu...(abbreviated)...q4-HWZ3vdMI6JjaD5rDxNk &redirect_uri=https://example.com'

supplement

refresh_token: Refresh token invalidated in 8.

Execution result

An error is returned stating that it is an invalid refresh token.

{
	"error":"invalid_grant",
	"error_description":"Unknown or invalid refresh token."
}

in conclusion

Regarding token invalidation in Auth0, we introduced the refresh token invalidation procedure using the Authorization Code Flow as an example. I hope this helps you understand the token revocation process in Auth0.

Reference information

RFC 7009: OAuth 2.0 Token Revocation mentions refresh tokens (required) and access tokens (recommended) as targets for revoking tokens.

Implementations MUST support the revocation of refresh tokens and SHOULD support the revocation of access tokens (see Implementation Note).
RFC 7009：OAuth 2.0 Token Revocation

reference

Click here for a list of Customer Identity Cloud (Auth0) basic setting operation guides

Inquiry/Document request

In charge of Macnica Okta Co., Ltd.

inquiry Document request

TEL：045-476-2010
E-mail：okta@macnica.co.jp

Mon-Fri 8:45-17:30