CODEWITHSUNDEEP
c#asp.net-coreasp.net-core-mvcasp.net-core-identity
Mariusz Jamro
Mariusz Jamro

Reputation: 31633

How to sign out other user in ASP.NET Core Identity

How can i sign out another user (not the currently logged one) in ASP.NET Core Identity.

I know there is a SignOutAsync() method in SignInManager, but there seems to be no override accepting user as argument. I'm looking for something like:

signInManager.SignOutAsync(user);

Upvotes: 26

Views: 27791

Answers (2)

VahidN
VahidN

Reputation: 19136

First update the security stamp of that user:

await userManager.UpdateSecurityStampAsync(user)

Then that user won't be noticed the changes until the arrival of the SecurityStampValidationInterval. So set it to Zero for the immediate logout:

services.AddIdentity<User, Role>(identityOptions =>
{
   // enables immediate logout, after updating the user's stat.
   identityOptions.SecurityStampValidationInterval = TimeSpan.Zero;
}

Update: For ASP.NET Core Identity 2.x, 3.x, 5.x

services.Configure<SecurityStampValidatorOptions>(options =>
{
    // enables immediate logout, after updating the user's stat.
    options.ValidationInterval = TimeSpan.Zero;   
});

Upvotes: 50

Youngjae
Youngjae

Reputation: 25050

I think you might find some revoke functionality, which make sign out user forcefully. It is not easily implemented currently as the nature of stateless connection and token-based (or we can say claim-based) authentication.

A revoked user should be accessed to a token validation endpoint in order to check the token valid or not. Until then, (1) the user could be shown as a signed-in, or (2) we need to implement client(app or web) to access to the token endpoint very frequently till token expiration or revokation.

SignIn/Out is tighted to token-authorized user identity scope, so that the viable solution is to invalidate a token.

Upvotes: 1

Related Questions