User logged in even after deleted from Kinde
I used the starter kit on a React site to get a Register and Signin button to work. I can sign in on the site so that isAuthenticated is true. But then it wasn't clear how I could build a logout button. So I deleted the user from my list of users in my Kinde dashboard. But after being deleted, the user stayed logged in (isAuthenticated=true) on my site.
That's not supposed to happen, right? If a user has been deleted from the list at Kinde, they should immediately be logged out from all sites, right?
1 Reply
No, it's one of the challenges with using JWT tokens. From your web server's perspective the JWT is valid until the expiry date / time. If your web server kept going back to Kinde's servers for validation on every request it would have a significant performance / scalability impact.
One way to handle this would be to have short expiry access tokens with longer refresh token expiry. I've not really used it yet, but you could also try invalidating the user cache / claims through Kinde's API. https://docs.kinde.com/kinde-apis/management/#tag/users/post/api/v1/users/{user_id}/refresh_claims. Although I'm not sure how that lines up in OAuth 2.0 theory as it's through their management API. OAuth 2.0 does support the concept of token introspection, which I believe is what you are after - https://oauth.net/2/token-introspection/. But I don't know if Kinde currently supports this.
Kinde docs
Kinde Management API
The management API is for managing your Kinde account. Most things that can be done via the Kinde admin UI can be done with this API