OAuth token revocation
Hi, guys!
Help me understand plz. We implemented Oauth flow, everything works fine but I fail to understand connection between session and tokens.
When user logs out - out frontend (using Zitadel lib) calls /oidc/v1/end_session. In user_sessions table respective session changes state from 0 to 1, and access token becomes invalid. However refresh token is not being revoked and I can still get access token using it.
Can you explain why access token becomes invalid and refresh doesn't?
2 Replies
side question. when I terminate session via /v2/sessions/{session_id} I see event in event_store table - session.terminated. however session in user_session table stays in state 0. isn't it supposed to be in state 1 ?
Hi @Кирилл, thanks for reaching out! This is the way it was implemented in ZITADEL. If you want to revoke Refresh Tokens, you need to call the revocation endpoint {your_domain}/oauth/v2/revoke. As you noted, ending a session won't automatically revoke refresh tokens, it will only invalidate Access Tokens.
Regarding the session termination with the
/v2/sessions/{session_id} endpoint, and the user_session table, please allow me to query internally and I will get back to you shortly with a response. In the meantime, please let me know if you have any other questions.
Hey @Кирилл, I got the following reply from Engineering:
projections.user_session only tracks v1 sessions (“old login”). If you are already on login v2 or using the sessions API directly, terminating a session will not show up there—it will be reflected in the projections.sessions8 projection instead. I hope this answers your question!