问题
We are trying to integrate Identity Server 4 (IDSV4) with our Mvc Client and WebApi2 clients.
We found out that, the access token is still valid and can be used to consume services from WebApi2 even after the user has logged out from both client and IDSV4.
I don't know how I can force it to become invalid as soon as the user has logged out.
Here are the steps to reproduce this behaviour:
- Open Mvc Client and Login to IDSV4
- Get the Access token by using
await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.AccessToken)
Copy the AccessToken and access the WebApi2 by using that token (it works and we can see the validation step between Api and IDSV4)
I Logout from IDSV4 and Client by using the following:
await HttpContext.SignOutAsync("Cookies"); await HttpContext.SignOutAsync("oidc");
If we refresh the web page on Mvc Client, we can see that the user has logged out.
Repeat the Step3 and send request to WebApi2 again by using the same AccessToken. It still works because it doesn't do the token validation again.
IMO, this is a security issue because we use that access token in AJAX call and users can see that token if they use the Browser tool and repeat the same requests even after logging out.
Here is the code to integrate my WebApi2 with IDSV4:
services.AddAuthentication(
IdentityServerAuthenticationDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(options =>
{
options.Authority = "http://idsv.url";
options.ApiName = "api1";
});
I tried to set options.CacheDuration
to ZERO, but still the same behaviour.
Could you suggest how I could prevent it or force my Api to re-validate when the user has logged out? Is there anyway to notify the Api that, the specific token is no longer valid?
回答1:
There is no any way to revoke an Access-Token. You can use Reference-Token instead which has different flow and you can revoke it. Also this is the reason of you should generate Access-Token with short lifetime. When you are using https connection, there is no any way to stole Access-Token in middle of way.
来源:https://stackoverflow.com/questions/60465599/identity-server-4-how-to-solve-access-token-still-valid-after-client-logout