I've set up the authentication for Web API which is almost identical to this blog here oauth-refresh-tokens from Taiseer Joudeh. It worked perfectly until I met an issue: We have User A and User B are currently logged in to the system. User A as administrator, removes user B from the system. User B still has permission to access the web until the token is expired . I've done some research and they all said that revoking an access token is quite difficult (or not possible in OAuth). The only thing I could do is to set the timeout shorter. It's still glitching in my mind and I do not like the idea that access token is still valid to (although a limited) frame of time after. So, is there any better approach or any advice would be much appreciated.

c#asp.netasp.net-web-apioauth

Reputation: 71

Revoke access token of OAuthBearerAuthentication

I've set up the authentication for Web API which is almost identical to this blog here oauth-refresh-tokens from Taiseer Joudeh.

It worked perfectly until I met an issue:

We have User A and User B are currently logged in to the system.
User A as administrator, removes user B from the system.
User B still has permission to access the web until the token is expired.

I've done some research and they all said that revoking an access token is quite difficult (or not possible in OAuth). The only thing I could do is to set the timeout shorter. It's still glitching in my mind and I do not like the idea that access token is still valid to (although a limited) frame of time after.

So, is there any better approach or any advice would be much appreciated.

Upvotes: 3

Answers (3)

Hans Z.

Reputation: 54088

Use the refresh_token and access_token as they were designed and shorten the lifetime of the access token to a duration that is acceptable for you and go as low as you need to go. Since you're both the Resource Server and Authorization Server, the asymptote means that you'll end up checking the user on every call anyhow, as suggested in the other answers, but:

using a DB to store access tokens will most probably lead to caching tokens to optimize performance, in which case you end up in the same situation as with refresh token where the cache staleness timeout is equivalent of the access token lifetime.

In the end you can't have your cake and eat it too, so I would recommend to do it as OAuth was designed to do.

Upvotes: 2

Rajdeep Dosanjh

Reputation: 1187

This is possible if you check the user against a database table every request. Something along the lines of the following in the global.asax would work.

    protected void Application_AuthenticateRequest(object sender, EventArgs e)
    {
        if ( /*check table to see if user is allowed in*/)
        {
            HttpContext.Current.User = null;
        }
    }

Upvotes: 0

Taiseer Joudeh

Reputation: 9043

Thank for referring and using my blog post, check this answer as you need to store access token identifier in DB if you want to revoke them.

Upvotes: 0

Revoke access token of OAuthBearerAuthentication

Answers (3)

Related Questions