Reputation: 6337
Invalidating IdentityServer session and access token when a user's password changes
I'm using IdentityServer4 in ASP.NET Core 2.2. The client application (RP) is an API, also an ASP.NET Core 2.2 application. The user logs in using the authorization code flow and gets a cookie from IdentityServer (idsrv). They then get an authorization code and and access token for the API (RP).
I want to be able to revoke a user's existing login session and access tokens in some cases, e.g. if their password has been reset. In IdentityServer I've implemented added my own authentication scheme:
.AddCookie("MyAuthenticationScheme", options =>
{
options.SessionStore = new MyTicketStore();
options.EventsType = typeof(MyCookieAuthenticationEvents);
})
This allows me to invalidate the user's IdentityServer session on the server before the authentication ticket expires. For example, when the user is signed in I add a claim that stores the date their password was last changed and in MyCookieAuthenticationEvents.ValidatePrincipal() I check that it has not been changed since, as suggested on https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-2.2#react-to-back-end-changes
I want to do the same with the access token they use the access the RP. If the user's password has changed (and in some other cases) I want the access token to be invalidated immediately, rather than waiting for it to expire. I'm using reference tokens and have implemented IProfileService and ICustomTokenValidator. In IProfileService.GetProfileDataAsync I copy the password change date claim to the access token claims collection and in ICustomTokenValidator.ValidateAccessTokenAsync I again check that claim against the real user.
This works, but it seems quite convoluted and complicated and I wonder if there is a simpler way to accomplish this - it seems like this should be a common requirement.
Upvotes: 1
Views: 3198
Answers (1)
Reputation: 4812
If you are using reference tokens, all you need to in order to invalidate the token is to remove it from whatever implementation of IPersistedGrantStore you have and the next time reference token is attempted to be validated through introspection, it will be invalid since it will no longer exist.
Upvotes: 1
Related Questions
- Revoke refresh tokens when signing out from IdentityServer4
- IdentityServer4 Force User to re-enter credentials
- Using .NET Core Identity and need to refresh token
- Re-authorize persistent login (MVC client) without triggering login UI
- Identity server 4 handling Expired or revoked refresh tokens
- Validating access_token when identityserver goes offline
- ASP.NET Core Identity, IdentityServer4 and Changing a password
- Invalidate user in Identity Core when roles/account changes
- Refreshing access tokens in IdentityServer4 clients
- Invalidate user credentials when password changes