Logout API does not revoke the access_token

[tanwirahmad]

Hi, I am using the python client to logout a user using this function logout(). After calling this function, the access_token remains invalid. I have tried this anonymous_client.logout_with_request() function but the results were same.

I have read these articles:
https://fusionauth.io/learn/expert-advice/tokens/revoking-jwts
https://fusionauth.io/learn/expert-advice/tokens/pros-and-cons-of-jwts
If I understood correctly, this is the intended behaviour but I can still achieve the desired behaviour using JWTManager. But I could not find JWTManager for the python client.

So, in summary, is there any way to invalidate access_token when a user logs out.

Versions
Fusionauth-client 1.31
FusionAuth 1.31

[mooreds]

We do not yet have an implementation of JWTManager for python, you are correct. You could translate the JWTManager javascript code into python, which would be on option. We welcome pull requests :) .

[scott2b]

The original question seems to be specifically how to revoke an access token (not a refresh token). Although the original question states that the desired behavior can apparently be achieved via the JWTManager, I am unable to find how the JWTManager exposes functionality for revoking or invalidating an access token.

How does one go about revoking an access token? Either with the JWTManager ... or regardless of the client, what would be the correct API call to do this?

[mooreds]

@scott2b

You can't explicitly revoke an access token in FusionAuth. We don't support RFC 7009: https://www.rfc-editor.org/rfc/rfc7009.html and based on the number of upvotes for this, I don't know if the community wants us to: FusionAuth/fusionauth-issues#201

So, if you want to have an access token become invalid, you have to manage it yourself. That is what is outlined in the articles @tanwirahmad mentions. The process is basically:

• set up webhooks to fire to all the resource servers when a refresh token is invalidated (when the user logs out)
• listen for that event, and when it occurs, record the user with the invalid token in the resource server (in redis, db, etc)
• next time an access token is presented, verify that it is not for a user who has logged out

If you want to handle the case where a user logs out, then logs back in quickly, then the time based logic in the Webhooks section here: https://fusionauth.io/learn/expert-advice/tokens/revoking-jwts needs to be implemented.

Hope this helps.

[scott2b]

This is very helpful. Thank you for the quick response. While I was poking around at this, I also ran across this discussion which seems relevant and illuminating: FusionAuth/fusionauth-issues#25

Particularly, the whole thing JWTs are meant to be portable and are not persisted server-side switched on a lightbulb for me. But it also raises the question of whether they should be used in a standard application session-oriented auth workflow, as seems to be implied, e.g. in the the example Flask client here. While the example does not explicitly keep track of user sessions, it would be the natural next step (and the one I am trying to solve now).

So I sort of think maybe using the JWT API for this is not the right approach? But then is there another mechanism provided by the FusionAuth API? As far as I can tell, this is just how FusionAuth works by virtue of the fact of using JWTs as oAuth tokens.

[mooreds]

@scott2b I suggest you take a look at these login flows. They walk through all kinds of options: https://fusionauth.io/learn/expert-advice/authentication/login-authentication-workflows

You can also post in our community forum, slack or open a support ticket (if you have support). All of these will get you a better response than posting on a client library issue (your current experience notwithstanding :) ).

[scott2b]

Thank you for this link. I appreciate the detail spelled out here.