How to make Bearer token invalid

Question

I wrote a provider which makes bearer-tokens by username/password for 10 years:

public partial class Startup
{
    private readonly TimeSpan _tokenLifetime = TimeSpan.FromDays(3600);

    public void ConfigureAuth(IAppBuilder app)
    {
        var config = new HttpConfiguration();
        WebApiConfig.Register(config);
        app.UseCors(CorsOptions.AllowAll);

        app.CreatePerOwinContext(UsersDB.Create);
        app.CreatePerOwinContext<UserManager>(UserManager.Create);
        app.CreatePerOwinContext<RoleManager>(RoleManager.Create);

        app.UseOAuthBearerTokens(new OAuthAuthorizationServerOptions
        {
            TokenEndpointPath = new PathString("/getToken"),
            Provider = new ApplicationOAuthProvider(new UserManager(new ApiUserStore(new UsersDB()))),
            AccessTokenExpireTimeSpan = _tokenLifetime,
            AllowInsecureHttp = true,
        });

        app.UseWebApi(config);
    }
}

Client has to get token and have to use it for all methods of Web API service. If client got the new token, the old token does not become invalid. And client can use both tokens.

How to make the first token invalid?

Answer 1

The standard way of handling those scenarios is to implement a Refresh Token arquitecture.

The most relevant benefits:

• You don't need to request User and Password due to a token expiration (You won't let the token expire).
• You can easily revoke a user access not allowing it to refresh.
• You can add new claims based on your needs to the new generated tokens.

Take a look at this article, you will get a full explanation how to implement it.

http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs-app-using-asp-net-web-api-2-owin/