Reputation: 41
Revoke token Identity Server OAuth2
I wonder if it is possible to revoke an OAuth 2.0 token issued by ThinkTecture Identity Server as I want to make my application logout.
Upvotes: 3
Views: 984
Answers (2)
Reputation: 53928
This is possible only with the most recent release(s) of ThinkTecture Identity Server version 3 that implement RFC 7009: https://www.rfc-editor.org/rfc/rfc7009. See the release notes for version 1.1.0 at https://github.com/IdentityServer/Thinktecture.IdentityServer3/blob/master/RELEASES.md, which include a link to https://github.com/IdentityServer/Thinktecture.IdentityServer3/pull/858.
Upvotes: 2
Reputation: 25050
Did you read this article(http://leastprivilege.com/2013/11/15/adding-refresh-tokens-to-a-web-api-v2-authorization-server/)?
I quote the paragraph below.
Once the token has been issued, there is no “built-in” way to revoke it. Or in other words you’d need to write your own mechanism for that which often involves database checks on each request. Doable – but often defeats the purpose.
In short, giving narrow lifetime to auth token and removing stored one in client are applicable solution.
Upvotes: 0
Related Questions
- IdentityServer Create and Revoke API Tokens
- How to revoke refresh token in Identityserver4?
- How to revoke the access and refresh token in Oauth2.0?
- Revoke token with identity server 4
- How to revoke or invalidate token using Identity Server 4?
- Identity Server 4 Revoke access tokens from Db
- Controlling how IdentityServer3 returns the Authorization Bearer Token
- Thinktecture identity server client selection and implementation
- OAuth2 authorization server with claims
- What to do with access token once I have it in thinktecture identity server