Reputation: 25
.Net5 Identity Logout
How to logout an user logged in with the .Net 5 Identity system?
When I call Logout, the jwt token is stays valid and I can call Authorized requests with sucess.
await _signInManager.SignOutAsync();
Here my UserController:
[ApiController]
[Route("api/[controller]/[action]")]
[Authorize(AuthenticationSchemes = Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerDefaults.AuthenticationScheme)]
public class UserController : ControllerBase
{
private readonly UserManager<IdentityUser> _userManager;
private readonly RoleManager<IdentityRole> _roleManager;
private readonly SignInManager<IdentityUser> _signInManager;
private readonly IConfiguration _configuration;
private readonly IHttpContextAccessor _httpContextAccessor;
private readonly ILogger<UserController> _logger;
public UserController(IConfiguration configuration, SignInManager<IdentityUser> signInManager,
UserManager<IdentityUser> userManager, RoleManager<IdentityRole> roleManager,
IHttpContextAccessor httpContextAccessor, ILogger<UserController> logger)
{
_configuration = configuration;
_logger = logger;
_signInManager = signInManager;
_userManager = userManager;
_roleManager = roleManager;
_httpContextAccessor = httpContextAccessor;
}
public async Task<IActionResult> Logout() {
await _signInManager.SignOutAsync();
return Ok("Logged out.");
}
}
I use the 5.0.100 sdk version.
Thanks!
Upvotes: 2
Views: 706
Answers (1)
Reputation: 32597
In general it is not possible to revoke a JWT bearer token, that's why there is an expiration time on them. The idea is that the user agent comes back and refreshes the token after the time has expired, at which point it will know if the session has ended or not.
One of the properties of a JWT token is that can be validated "offline", i.e. without access to the issuing backend. All that is needed is the public part of the key used to sign it. Once the token has been issued, it is valid for the duration set within the token and there is no (canonical) way to expire it.
Of course, you are always free to build a revocation list or similar into your backend, but that is really not what JWT tokens are meant for.
An easy way to mitigate your problem is to set a short expiration time.
Upvotes: 2
Related Questions
- ASP.NET Windows Authentication logout
- Identity Server 4 : Proper logout from MVC Client
- How to get asp.net identity logout to work?
- IdentityServer4 logout
- ASP.Net Identity Logout
- Asp.net Identity logout other user
- Logging Out With AspNet.Security.OpenIdConnect.Server (ASP.NET vNext)
- ASP.NET Identity sign out another user
- ASP.Net Identity sign-out all sessions
- ASP.NET Identity - 'log out'