Reputation: 1479
How to limit user to only one access token in ASP.NET Identity
I'm Using Token-Based Authentication in my webApi application. for each login OAuth generates an access token for user. if a user tries to do login more than once. it may own some more valid token. is there a limitation on this process.
Here is my Startup class:
public void Configuration(IAppBuilder app)
{
HttpConfiguration config = new HttpConfiguration();
ConfigureOAuth(app);
WebApiConfig.Register(config);
app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
app.UseWebApi(config);
//Rest of code is here;
}
public void ConfigureOAuth(IAppBuilder app)
{
OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
{
AllowInsecureHttp = true,
TokenEndpointPath = new PathString("/token"),
AccessTokenExpireTimeSpan = TimeSpan.FromDays(1),
Provider = new SimpleAuthorizationServerProvider()
};
// Token Generation
app.UseOAuthAuthorizationServer(OAuthServerOptions);
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
}
and here is "GrantResourceOwnerCredentials" Method:
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
using (AuthRepository _repo = new AuthRepository())
{
IdentityUser user = await _repo.FindUser(context.UserName, context.Password);
if (user == null)
{
context.SetError("invalid_grant", "The user name or password is incorrect.");
return;
}
}
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
identity.AddClaim(new Claim("sub", context.UserName));
identity.AddClaim(new Claim("role", "user"));
context.Validated(identity);
}
Upvotes: 0
Views: 1681
Answers (2)
Reputation: 313
One of the main limitation of oauth token is it's expiry. So if you generate long living token then it is valid for long time. So some of common approach to handle such senerio is :
issue short living token with additional refresh token
store token in database and every time when new token is generated then make old one token status to expire. Then you can write your custom authorize attribute to check whether token is expire or not.
Upvotes: 1
Reputation: 3169
I am afraid the token is valid until it expires and it will contain all the info related to the user.
So to do what you want you have to create your own layer to validate if the user has or not a token, like creating a mapping table and then a custom filter to reject the request if the user is not using the last token generated for him.
Upvotes: 0
Related Questions
- Could set two authentications for one Api ? Identity server4
- IdentityServer4 Multiple API access, single token
- How to allow specific roles to access API using identityserver3.accesstokenvalidation
- Token based login logic change in ASP.NET Identity 2.0
- How to create multiple tokens for different client type in ASP .NET Web API
- write single API accessible through asp.net identity user and bearer token both
- Disable GET functionality of WEB API token call
- Webapi with multiple oauth tokens for different users
- Unique token for each user in ASP.NET Identity
- Role based tokens ASP.net Identity