Reputation: 61
How to revoke the access and refresh token in Oauth2.0?
I've used this method for revoke the token. But the access token and refresh token again reusable. How to revoke the access and refresh token?
public async Task<IActionResult> Revoke(string
refreshToken,stringaccessToken){
var identityService = await
DiscoveryClient.GetAsync("http://localhost:5000");
var revocationClient = new
TokenRevocationClient(identityService.RevocationEndpoint, "ro.client",
"secret");
var response = await
revocationClient.RevokeRefreshTokenAsync(refreshToken);
var response1 = await
revocationClient.RevokeAccessTokenAsync(accessToken);
}
Upvotes: 2
Views: 3356
Answers (3)
Reputation: 29208
refresh tokens are only used for desktop / mobile apps or for server side web apps.
For a true browser app (single page app) you can't use refresh tokens. You can still separate API credential time from User Session time though.
There are some notes on my blog around sessions, in case they help:
I'm not covering server side web apps but basically they carry the refresh token around in the authentication cookie
Upvotes: 0
Reputation: 29208
My company, who provide software for managing investment banking assets, use the following separation:
API CREDENTIALS
- Access tokens are for calling APIs from UIs
- They have a short lifetime of 30 minutes
- They are JWTs and do not need to be revoked since they are short lived
USER SESSIONS
- These are represented by a refresh token
- The refresh token for a UI might last for 8 hours
- Every 30 minutes the access token expires and is silently renewed
- Refresh tokens are stored in a database
- An IT administrator can revoke a refresh token by deleting it from the DB
- This will force a new login after no more than 30 minutes
REVOCATION PROCESS
Typically the IT administrator will want to use context when revoking a refresh token, such as Application Id, User Id and Time Issued
So if you are providing a UI for revocation you might want to provide fields such as the above
Upvotes: 0
Reputation: 5264
Only reference and refresh tokens can be revoked in this way. JWTs are valid until their exp time unless you build additional logic into the consumer.
Upvotes: 1
Related Questions
- How to revoke the RefreshToken and invalidate the AccessToken at the same time in Oauth2
- Revoke token Identity Server OAuth2
- How to revoke refresh token in Identityserver4?
- How to revoke or invalidate token using Identity Server 4?
- Revoke access token - Web API ( OAuth2 )
- Oauth2/Openid Connect. How to revoke unknown access/refresh tokens
- Revoking an old oAuth 2.0 refresh token
- how to refresh or revoke OAuth2.0 access/refresh_token, when no refresh token available?
- Oauth Revoke access token only
- Revoke access token of OAuthBearerAuthentication