1. 技术文章
  2. Identity Server 4 - how to solve Access Token still valid after client Logout?

Identity Server 4 - how to solve Access Token still valid after client Logout?

烂漫一生 提交于 2021-02-11 14:49:58

问题


We are trying to integrate Identity Server 4 (IDSV4) with our Mvc Client and WebApi2 clients.

We found out that, the access token is still valid and can be used to consume services from WebApi2 even after the user has logged out from both client and IDSV4.

I don't know how I can force it to become invalid as soon as the user has logged out.

Here are the steps to reproduce this behaviour:

  1. Open Mvc Client and Login to IDSV4
  2. Get the Access token by using await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.AccessToken)

  3. Copy the AccessToken and access the WebApi2 by using that token (it works and we can see the validation step between Api and IDSV4)

  4. I Logout from IDSV4 and Client by using the following:

    await HttpContext.SignOutAsync("Cookies");
await HttpContext.SignOutAsync("oidc");

    If we refresh the web page on Mvc Client, we can see that the user has logged out.

  5. Repeat the Step3 and send request to WebApi2 again by using the same AccessToken. It still works because it doesn't do the token validation again.

IMO, this is a security issue because we use that access token in AJAX call and users can see that token if they use the Browser tool and repeat the same requests even after logging out.

Here is the code to integrate my WebApi2 with IDSV4:

services.AddAuthentication(

            IdentityServerAuthenticationDefaults.AuthenticationScheme)
            .AddIdentityServerAuthentication(options =>
            {
                options.Authority = "http://idsv.url";
                options.ApiName = "api1";
            });

I tried to set options.CacheDuration to ZERO, but still the same behaviour.

Could you suggest how I could prevent it or force my Api to re-validate when the user has logged out? Is there anyway to notify the Api that, the specific token is no longer valid?


回答1:


There is no any way to revoke an Access-Token. You can use Reference-Token instead which has different flow and you can revoke it. Also this is the reason of you should generate Access-Token with short lifetime. When you are using https connection, there is no any way to stole Access-Token in middle of way.



来源:https://stackoverflow.com/questions/60465599/identity-server-4-how-to-solve-access-token-still-valid-after-client-logout

标签
identityserver4
access-token
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!