In OpenID Connect, the ID token is a cryptographically signed, self-contained token which allows resource owners to authorize access without a call to the authorization server. So, if the Authorization server isn't necessary to validate the token, how can it be revoked in a session management scenario? It seems like the only thing that can be revoked is the refresh token at which point the ID token would just expire and the user would have to reauthenticate. Is this correct? Also, does it even make sense for OpenID Connect Provider/Server to store the token at all as it hands it off?
The id_token cannot be explicitly revoked because of the reasons that you mention: it is self-contained and can be used without dependency on the Provider. However, a typical usage in web applications is to use the id_token upon receipt to create an application session, store the relevant information from the id_token in the session and then to discard the id_token itself. That application session can be terminated upon request from the Provider by implementing the OpenID Connect Session Management extension, see: https://openid.net/specs/openid-connect-session-1_0.html. In this web SSO use case the id_token lifetime would be limited since it is one-time usage only.
来源:https://stackoverflow.com/questions/32533285/openid-connection-session-management-can-id-token-be-revoked