Reputation: 12147
IdentityServer4 refresh_token revocation
I have SPA app that uses IdentityServer4 ROPC flow for auth with access and refresh tokens from this example https://github.com/robisim74/AngularSPAWebAPI. Every 15 minutes I update refresh_token for a new pair of refresh and access tokens.
However If I restart IdentityServer4 app old refresh_tokens issued before restart no longer valid. How to fix it? I suspect I should implement some interface to store issued refresh tokens?
Upvotes: 1
Views: 646
Answers (1)
Reputation: 5010
You need to implement persisted grants by using the IPersistedGrantStore contract. This stores things like refresh_tokens into a defined persistence. By default IdentityServer 4 will use an InMemory persistence store, which is why you keep on losing your refresh_token references when you restart the application.
It is pretty much mandatory to have a persistence layer for this in production if you are going to be using refresh_tokens.
Upvotes: 2
Related Questions
- IdentityServer4 refresh token invalid grant
- How to use 'refresh_token' in IdentityServer 4?
- How to revoke refresh token in Identityserver4?
- Revoke refresh tokens when signing out from IdentityServer4
- How to revoke refresh token in aspnet core which is store in Identiy Server Database
- Revoke token with identity server 4
- Identity server 4 handling Expired or revoked refresh tokens
- Refresh Token and Access Token from Identity Server4
- How to revoke or invalidate token using Identity Server 4?
- IdentityServer4 Refresh Token Is Null