Identity Server 4 Signout - Token Lifetime

Question

I have Identity server 4 at is.mysite.com and then I have mysite.com which uses angular to serve the content. Lastly, I have api.mysite.com which uses is4 to protect the content.

What I'd like to know is what is the expected behavior of the lifetime of the token after the user has signed out. Consider the following scenario:

1. User opens mysite.com and click login.
2. User is redirected to is.mysite.com and logs in
3. User redirected back to mysite.com and can make api requests.
4. User open a new tab in the browser and goes to is.mysite.com and clicks logout.
5. User goes back to previous tab where mysite.com is and tries to make the api call.

The current result that I get is that the user is able to retrieve the data. Is this expected? Shouldn't the user no longer be able to use said token because they have logged out? The way I log out the users is as follows:

await _loginManager.LoggOffAsync(HttpContext.User);
await HttpContext.SignOutAsync();

Also if I visit the is.mysite.com, the user truly is logged out.

Answer 1

The angular client may monitor the session state of the user by using the session management specification, this is accomplished through an iframe. For more information on the logout process you can take a look at the official documentation, specifically the section describing Javascript clients.

Given how the session management specification is designed, there is nothing special in IdentityServer that you need to do to notify these clients that the user has signed out. The clients, though, must perform monitoring on the check_session_iframe, and this is implemented by the oidc-client JavaScript library.

It is intended behavior that the access token remains valid, this is why access tokens are valid for a short duration. If you need precise control over the validity of access tokens you can look into reference tokens, which are able to be revoked.

Answer 2

I have set up my IdentityServer4 to a ReactJS client. For the communication of javascript clients with IdentityServer4, I assume you might have installed the oidc-client-js. Through which you redirect the user to the IdentityServer4 (is.mysite.com) from you AngularClient (mysite.com)

If so, you have to call signoutRedirect() method in your logout button click. Only then your AngularClient (mysite.com) can successfully logout your user from IdentityServer4 (is.mysite.com).

Once the user has been signed out, the remaining tabs will be notified and will be signed out by the browser.

"Make sure you add the [Authorize] tag on the controller to restrict the client to consume the API without a valid access token."

Answer 3

If you're talking about tokens with security stamps, then it depends on the validation interval that you have configured for your service. Setting this to zero will cause the security stamp to be validated on every request, so that logout everywhere will take effect immediately:

https://learn.microsoft.com/en-us/previous-versions/aspnet/dn497603%28v%3dvs.108%29

If this isn't how you're doing log out everywhere then we'd need to see more of your auth setup code to know where the issue is.