问题
I am having problems validating if the token is active, when I call the endpoint of instrospection it returns active true even leaving the application.
It only returns false after the access_token lifetime expires.
Steps below.
I login in the application is generated access_token, refresh_token and etc.
Perform the application logoff by the endsession endpoint
When executing the instrospection endpoint passing the previously retrieved access_token the system returns that it is active
Question.
When leaving the application should not invalidate this access_token? It is only returning that is not active after the expiration time of access_token.
Thanks
回答1:
Why should it be a problem? Seems to me that it works as designed, but not as expected.
First of all you have to understand what an access token is:
An access token contains information about the client and the user (if present). It is a self-contained code that can be decoded by the server only and has a certain lifetime.
Anyone can access your resources with this access token. It doesn't matter if it comes from your app or from somewhere else. That's why the access token should be short-lived. In case it falls in the wrong hands then it can be misused for only a short period of time. You can also add security measures to invalidate the token if this is detected.
Secondly, how should identityserver know that you closed your app? Sure, you did logout, but that did not change the access token. The token is self-contained and cannot be updated! It lives on its own until it expires.
And that is precisely what you see:
When you call the endpoint of instrospection it returns active true until the access_token expires.
-- update --
If you want to stay in control then consider to use reference tokens instead of JWT tokens.
When using reference tokens - IdentityServer will store the contents of the token in a data store and will only issue a unique identifier for this token back to the client. The API receiving this reference must then open a back-channel communication to IdentityServer to validate the token.
Using the Revocation Endpoint you can revoke the reference token.
来源:https://stackoverflow.com/questions/48157049/after-logout-when-validating-access-token-in-introspection-endpoint-is-returning