3

I wonder if it is possible to revoke an OAuth 2.0 token issued by ThinkTecture Identity Server as I want to make my application logout.

Youngjae
  • 24,352
  • 18
  • 113
  • 198
Raul Molina
  • 41
  • 3

2 Answers2

2

This is possible only with the most recent release(s) of ThinkTecture Identity Server version 3 that implement RFC 7009: https://www.rfc-editor.org/rfc/rfc7009. See the release notes for version 1.1.0 at https://github.com/IdentityServer/Thinktecture.IdentityServer3/blob/master/RELEASES.md, which include a link to https://github.com/IdentityServer/Thinktecture.IdentityServer3/pull/858.

Community
  • 1
  • 1
Hans Z.
  • 50,496
  • 12
  • 102
  • 115
0

Did you read this article(http://leastprivilege.com/2013/11/15/adding-refresh-tokens-to-a-web-api-v2-authorization-server/)?

I quote the paragraph below.

Once the token has been issued, there is no “built-in” way to revoke it. Or in other words you’d need to write your own mechanism for that which often involves database checks on each request. Doable – but often defeats the purpose.

In short, giving narrow lifetime to auth token and removing stored one in client are applicable solution.

Youngjae
  • 24,352
  • 18
  • 113
  • 198