Guide

Global token revocation

Suggest Edits

By default, when a Hosted Login user session ends, only the session itself is deleted. Access and refresh tokens are not deleted. They must be revoked independently from the session.

📘

In OpenID Connect (OIDC) terms, tokens whose expiration is independent from the user’s session are called “offline” tokens. This is because they can be used even after the user has logged out, or in other words, even when the user is offline.

If you would like all access and refresh tokens issued during the session to be invalidated when the session ends, you can enable “online” tokens via the Token Policy.

How to enable online tokens

All new and existing token policies have offline token behavior built in by default. Token policies with this built-in behavior contain the following key-value pair:
"forceOfflineScope": true

Example Token Policy with offline tokens configured:

{
    "id": "7632b3f2-e912-4702-82f7-de212d680b6f",
    "accessTokenLifetime": 3600,
    "allowedScopes": [
        "openid",
        "email"
    ],
    "forceOfflineScope": true, // OFFLINE TOKENS CONFIGURED
    "refreshTokenLifetime": 7776000,
    "title": "My Token Policy",
    "useAccessJWT": false,
    "_links": {
        "self": {
            "href": "/config/a12bc34d-567e-8f90-gh12-3i45jk678lm9/tokenPolicies/7632b3f2-e912-4702-82f7-de212d680b6f"
        }
    }
}

You can enable online tokens by setting forceOfflineScope to: false

📘

For general configuration instructions, see: Modify a token policy

Example Token Policy with online tokens configured:

{
    "id": "7632b3f2-e912-4702-82f7-de212d680b6f",
    "accessTokenLifetime": 3600,
    "allowedScopes": [
        "openid",
        "email"
    ],
    "forceOfflineScope": false, // ONLINE TOKENS CONFIGURED
    "refreshTokenLifetime": 7776000,
    "title": "My Token Policy",
    "useAccessJWT": false,
    "_links": {
        "self": {
            "href": "/config/a12bc34d-567e-8f90-gh12-3i45jk678lm9/tokenPolicies/7632b3f2-e912-4702-82f7-de212d680b6f"
        }
    }
}

Allow offline tokens per request

If you enable online tokens in your Token Policy - in other words, turn off the forced offline scope - you can still allow for offline tokens to be provisioned on a per-request basis.

📘

“Per request” = per OIDC Authorization request


To allow offline tokens per request: Add the offline_access scope to the Token Policy’s allowedScopes

Example:

{
    "id": "7632b3f2-e912-4702-82f7-de212d680b6f",
    "accessTokenLifetime": 3600,
    "allowedScopes": [
        "openid",
        "email",
        "offline_access" // ALLOWS OFFLINE TOKENS PER REQUEST
    ],
    "forceOfflineScope": false,
    "refreshTokenLifetime": 7776000,
    "title": "My Token Policy",
    "useAccessJWT": false,
    "_links": {
        "self": {
            "href": "/config/a12bc34d-567e-8f90-gh12-3i45jk678lm9/tokenPolicies/7632b3f2-e912-4702-82f7-de212d680b6f"
        }
    }
}

📘

Notes:

  • Notice in the example above that "forceOfflineScope": false, so all access and refresh tokens generated by this Token Policy will default to online behavior. But because allowedScopes includes offline_access, this Token Policy can be used to provision offline tokens when requested.
  • For general configuration instructions, see: Modify a token policy

To provision offline tokens using this Token Policy: Add the offline_access scope to your Authorization request.

Example:

https://v1.api.eu.janrain.com/a12bc34d-567e-8f90-gh12-3i45jk678lm9/login/authorize
  ?client_id=4ddd6dc1-8313-4b49-ae2a-1afe65c55a8f
  &redirect_uri=https%3A%2F%2Fmy-app.com%2Fredirect_uri
  &response_type=code
  &scope=openid offline_access
  &state=kittens

Token behavior

To summarize all expected scenarios, tokens become invalid when:

  • they expire on their own
  • they are invalidated via the revocation_endpoint (/login/token/revoke)
  • the Hosted Login session ends (online tokens only)

The Hosted Login session ends when:

  • it is deleted via the administrative API (/sessions/{session-id})
  • it is ended via the end_session_endpoint (/login/end_session) with a valid logout_hint
  • it is ended by the user taking a global logout action in Hosted Login v3
  • it expires because it exceeds its maximum age
  • it expires due to user inactivity*
  • the last device is unbound, i.e. there are no more logged-in devices

📘

*A user’s session activity is refreshed when they interact with Hosted Login directly (e.g. login, SSO, step-up authentication, profile management) or your application refreshes an online token for a session that is still active.

🚧

Keep in mind:

  • Token revocation as described here does not remove tokens from your application(s). If you store access/refresh tokens in your app(s) and they are invalidated, they will simply become unusable. It is your responsibility to clean invalid tokens out of your app(s).
  • Tokens generated by the JavaScript SDK or Authentication API are part of a completely different system and are unaffected by the Hosted Login session.

Updated about 19 hours ago