Matej Mijoski•2mo ago

Does destroying the session also makes all refresh tokens invalid?

I am trying to check if destrying the session for a logged in user will also invalidate all refresh tokens that the user has. I found some Zitadel blog article that says that this doesn't happen but from what I experienced, I think it's the opposite.

3 Replies

Rajat•2mo ago

hey @Matej Mijoski it should not happen unless you have very short refresh token lifetimes, then tokens will expire quickly. It says the same here

Matej MijoskiOP•2mo ago

Hi, I read the article you sent over and that was the one I was referencing in the post. I also found this part

Conversely, if a session ends, tokens associated with that session should be considered invalid, even if their expiry time hasn't been reached

. Shouldn't this mean that the (opaque) refresh token should be invalidated automatically?

Rajat Singh•2mo ago

hey @Matej Mijoski you are right here, its more of the best practice, not Zitadel's real implementation. Do you want to raise a PR for the docs? :gigilove:

Does destroying the session also makes all refresh tokens invalid?

Did you find this page helpful?