Asp.Net Identity IUserSecurityStampStore with Bearer Tokens

Question

I'm in the process of building up a ASP.Net WEB API 2 project and I'm using Bearer Tokens for security via OWIN middleware.

Scenario:

• A user via a mobile app authenticates with the web API, receives and access token that is valid for up to 15 days, before the client app has to re-visit the token endpoint.

• The logged in user changes there password via the client app. Problem here is that the user's current access token now has the incorrect password, and they still have access.

The first question I'd like an answer on :-

Is this actually a problem? or bad.. I'm not sure it is.

I know that with cookie authentication you can implement the IUserSecurityStampStore interface and examine the database for changes occurring in the users Identity, which then invalidates the users cookie and a new cookie is required.

Am I correct in believing this implementation doesn't work with Bearer Tokens?

Is this something that i need to concern myself with when using Bearer Tokens?

Answer 1

This is part of the fun with access tokens, they're hard to revoke/invalidate.

It is possible to check and see if the password has changed if you don't mind hitting your identity database each request. Maybe store the security stamp in the token as a claim and compare this to the up to date stamp?

But is this actually an issue? Depends how important revocation is to you. In most use cases, if you've kept your access token lifetimes short, allowed scopes minimal and don't abuse refresh tokens, you should be good to go.