Search Results :

×
Sign Up Contact Us

In token-based authentication (OAuth / OpenID Connect), users are issued access tokens and refresh tokens by the OAuth Provider. These tokens enable applications and APIs to act on behalf of the user and maintain session continuity without requiring repeated logins. While this improves usability, it can also introduce a security concern. In some cases, tokens may remain valid even after the user logs out, allowing applications to continue accessing resources until the tokens expire or are explicitly revoked.

This is where Revoke User Tokens After Logout becomes essential.

In this section, we’ll discuss everything from requirements and implementation process to results.

usecase card logo

OAuth Client Module

Download Module

In a typical OAuth or OpenID Connect flow, the OAuth Provider issues Access Tokens for API access and Refresh Tokens to obtain new access tokens without user interaction. When a user logs out of the application, the local session ends, but the refresh token issued by the OAuth Provider may still be valid.

Consider an application that integrates with APIs, background jobs, or third-party services using OAuth tokens issued by the OAuth Provider. A user logs out of the application, expecting all access to end, but authorization still exists.

Where Token Revocation Changes the Game

By enabling Revoke User Tokens After Logout, the application explicitly invalidates the refresh token at the OAuth Provider during the logout process.

Instead of only ending the UI session, logout becomes a complete authorization shutdown.

When this feature is enabled:

  • The refresh token stored in the user session is identified.
  • A token revocation request is sent to the OAuth Provider.
  • The refresh token is invalidated immediately.
  • No new access tokens can be generated using that token.

Logout no longer stops at session termination; it removes long-lived access.

  • First, install and configure the miniOrange Drupal OAuth client module. This setup guide will help you to configure the module.
  • To configure this feature, first, you need to store refresh token in the user session.
    • For that, navigate to the Module settings tab by clicking the module settings link.
    • Scroll down to the Token storage section, then enable the Store token in User session and check the Refresh token check box.
    • Then, scroll down and click the Save Configuration button.
  • Now, check the Revoke user tokens after logout checkbox to activate this feature.
  • Enter the complete token URL that you want to revoke in the IDP Token Revoke Endpoint text field.
  • Now, enter the name of the parameter that carries the token in the Name the parameter carrying the token text field. For example, a token.
  • You can pass additional parameters on token revocation. Enter the name of the parameter in the Param Name text field and its value in the Param Value field.
  • If you want to pass multiple parameters, then enter the number of row that you want to add and then click the Add button.
  • Then, scroll down and click the Save button.
  • That’s it you have successfully configured the Single Log Out feature.

Without token revocation, access doesn’t truly end. It just becomes invisible. By enabling Token Revocation after Logout, you ensure that authentication and authorization end together. Once a user logs out, any stored refresh token is invalidated at the OAuth Provider, preventing new access tokens from being generated.

We'll Reach Out to You at the Earliest

mo-form

 Thank you for your response. We will get back to you soon.

Something went wrong. Please submit your query again

Table of Contents

Hello there!

Need Help? We are right here!

support