2

I've used this method for revoke the token. But the access token and refresh token again reusable. How to revoke the access and refresh token?

public async Task<IActionResult> Revoke(string 
   refreshToken,stringaccessToken){
    var identityService = await 
    DiscoveryClient.GetAsync("http://localhost:5000");

    var revocationClient = new 
    TokenRevocationClient(identityService.RevocationEndpoint, "ro.client", 
    "secret"); 
    var response = await 
    revocationClient.RevokeRefreshTokenAsync(refreshToken); 
               var response1 = await 
    revocationClient.RevokeAccessTokenAsync(accessToken);
}
nyulan
  • 311
  • 3
  • 12
Sathiyamoorthi
  • 61
  • 9
  • Are you using reference tokens or JWTs? Revocation only works for the former – mackie Feb 21 '18 at 10:15
  • I'm using JWT tokens for revoke – Sathiyamoorthi Feb 21 '18 at 10:30
  • Thanks, Mackie. Now I change JWT tokens to reference token. What are the changes in the config and startup files? Can you help me? or sent any reference links? – Sathiyamoorthi Feb 21 '18 at 11:01
  • I don't want to be the RTFM guy but it's explained here: http://docs.identityserver.io/en/release/topics/reference_tokens.html You're APIs will need to be able to call the introspection endpoint to validate said reference tokens so you'll need to ensure they have a secret defined and that the middleware is configured suitably. – mackie Feb 21 '18 at 11:09
  • 1
    how to expire Jwt token manually expiry? Is it possible? – Sathiyamoorthi Feb 21 '18 at 15:40
  • I change reference token type. That time I can't access the API call. I think startup or config file any mistake does. – Sathiyamoorthi Feb 21 '18 at 15:43
  • The link post by @mackie is broken, the new link is: https://identityserver4.readthedocs.io/en/latest/topics/reference_tokens.html. – ndclt May 18 '22 at 14:45

3 Answers3

1

Only reference and refresh tokens can be revoked in this way. JWTs are valid until their exp time unless you build additional logic into the consumer.

mackie
  • 4,996
  • 1
  • 17
  • 17
0

My company, who provide software for managing investment banking assets, use the following separation:

API CREDENTIALS

  • Access tokens are for calling APIs from UIs
  • They have a short lifetime of 30 minutes
  • They are JWTs and do not need to be revoked since they are short lived

USER SESSIONS

  • These are represented by a refresh token
  • The refresh token for a UI might last for 8 hours
  • Every 30 minutes the access token expires and is silently renewed
  • Refresh tokens are stored in a database
  • An IT administrator can revoke a refresh token by deleting it from the DB
  • This will force a new login after no more than 30 minutes

REVOCATION PROCESS

  • Typically the IT administrator will want to use context when revoking a refresh token, such as Application Id, User Id and Time Issued

  • So if you are providing a UI for revocation you might want to provide fields such as the above

Gary Archer
  • 22,534
  • 2
  • 12
  • 24
0

refresh tokens are only used for desktop / mobile apps or for server side web apps.

For a true browser app (single page app) you can't use refresh tokens. You can still separate API credential time from User Session time though.

There are some notes on my blog around sessions, in case they help:

  • OAuth Token Renewal Messages

  • I'm not covering server side web apps but basically they carry the refresh token around in the authentication cookie

Gary Archer
  • 22,534
  • 2
  • 12
  • 24