AspNet.Security.OpenIdConnect.Server Token Revocation and Logout is not working

Question

I have configured both revoke and logout end points as mentioned below.

.AddOpenIdConnectServer(options =>
{
    options.LogoutEndpointPath = "/logout";
    options.RevocationEndpointPath = "/revoke";
}

But both are not working Token revocation is not expiring/revoking the token.

For Token Revocation, I have debug the code and found that it is rejecting the context in OpenIdConnectServerHandler class in below mentioned code.

var context = new ValidateRevocationRequestContext(Context, Scheme, Options, request); await Provider.ValidateRevocationRequest(context);

context.IsRejected is true after above method

The request(post) contains clientId, clientsecret, token as access token or refresh token and token_hint_type. I am not getting to conclusion why this is happening?

Update 1 :

Made context validate by below mentioned code.

public override async Task ValidateRevocationRequest(ValidateRevocationRequestContext context) { context.Validate(); }

Now i got to know by debugging ASOS code that there is no built in logic for token revocation , am i right ? if this is the scenario then i need to write mine custom logic to revoke the token in

public override async Task HandleRevocationRequest(HandleRevocationRequestContext context) {.. code }

Now i am wondering what is the way to revoke the token (access and refresh), because these are self contained and not stored in DB like openiddict( i have looked the revoke logic of openiddict).

AspNet.Security.OpenIdConnect.Server Token Revocation and Logout is not working

Answers (1)

Related Questions