Reputation: 21
How to revoke refresh token in Identityserver4?
I need to revoke the refresh token by user and client. But I'm not sure how to do this.
Can I use the revoke endpoint for refresh tokens?
Or do I need to write code. I am using EF in Identity, in startup I have:
AddOperationalStore(options => ....)
There seems to be two options to delete tokens:
- IPersistentGrantStore:RemoveAllAsync(string subjectId, string clientId)
- IRefreshTokenStore:RemoveRefreshTokensAsync(string subjectId, string clientId)
Which one can I use for this purpose?
Or should I implement the code for the delete as described in this article?
Upvotes: 1
Views: 602
Answers (1)
Reputation: 683
If you need to revoke all the tokens for a given SubjectId/ClientId combination, you cannot use the revoke endpoint you list in your question. That's intended to revoke a single token.
The article you link is about not using ASP.NET Core Identity. That is a different matter and should have no impact on your desire to remove all refresh tokens for a user.
The way to go is indeed use the IRefreshTokenStore.RemoveRefreshTokensAsync method, where you can provide the SubjectId and ClientId. This does not necesarely 'revoke' the tokens, it removes them all from the database.
Upvotes: 1
Related Questions
- How to use 'refresh_token' in IdentityServer 4?
- Revoke refresh tokens when signing out from IdentityServer4
- How to revoke the access and refresh token in Oauth2.0?
- Identityserver4 Revoke One or All tokens
- Refresh token for IdentityServer4
- How to revoke refresh token in aspnet core which is store in Identiy Server Database
- Revoke token with identity server 4
- How to revoke or invalidate token using Identity Server 4?
- How to request a refresh token with identityserver4
- IdentityServer4 refresh_token revocation