I have Azure Mobile Service and AD set up for authentication.
Log out and login works perfectly through mobile app.
AD application reply url is https://test.azure-mobile.net/signin-aad
client = new MobileServiceClient (applicationURL, applicationKey);
var authResult = await client.LoginAsync(this, MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory);
var data = await client.InvokeApiAsync("testAPI", HttpMethod.Get, null); //Works
client.Logout(); // LOGOUT
var data = await client.InvokeApiAsync("testAPI", HttpMethod.Get, null); //Unauthorized Error at mobile side. Request not going to API
This working is perfect.
But if I copy the token from authResult after LOGOUT, I can use same token to call API from postman.
Header: X-ZUMO-AUTH → token
How I can validate the token? Any setting needed at Azure Mobile Service Side to validate and prevent this?
When you log out on the client, the auth token is removed from the client but nothing is communicated to the server to indicate that this token is now invalid. So if the token is stored off somewhere else and re-used, it will still be valid until it expires.
I'm not sure there's a good way to do this. You could reset the site's master key but that invalidates all other tokens, so that's not really a viable option. You could store a list of invalid tokens on the server and check them with each request, but that adds a lookup with each request.
Here's another question with a similar answer and a couple other links: Logout/invalidate a JWT
来源:https://stackoverflow.com/questions/34744454/azure-mobile-service-active-directory-authentication-x-zumo-auth-token-valid-in