(ASP.NET Identity 2.1)
There exists a method, UpdateSecurityStampAsync, which will invalidate the stored login cookie that the client uses to login. But many applications use this cookie-type authentication in conjunction with OAuthBearerTokens:
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
// Enable the application to use bearer tokens to authenticate users
app.UseOAuthBearerTokens(OAuthOptions);
So, while UpdateSecurityStampAsync will handle logging out the user in the context of cookies, how can we achieve the same thing and also invalidate their token when you log them out serverside?
Note that out of the box, the VS2013 ASP.NET SPA template enables both forms of authentication, so developers might falsely believe that their users are logged out by simply calling UpdateSecurityStampAsync when in reality, a client could continue using a cache'd token to access the API.
