0

I am looking for a way to invalidate or remove the token that has been issued out to the consumer.

The scenario is when a user's password is changed, we want to make sure all the issued tokens can't not be used anymore.

Eatdoku
  • 6,569
  • 13
  • 63
  • 98

1 Answers1

0

There's nothing built-in for this other than the normal expiration. If you think about it, how would you implement this? You'd need to make a call to the STS on every call into your server. That's why normally the token expiration is used -- for efficiency. But if you did want to implement this, you could, but it'd be your custom solution.

Brock Allen
  • 7,385
  • 19
  • 24
  • good point, but how would I make sure long live token gets expired in this case then? – Eatdoku Jan 14 '14 at 07:08
  • Either shorten the token lifetime, or build some custom API into IdentityServer where the RP can check for a revoked token. – Brock Allen Jan 14 '14 at 14:39