5

I am having a .NET Core 2.1 Web API project using OpenIddict.

TLDR: Following the example given here, I need the sample for performing the logout request to invalidate/logout the refresh token and the access token for one user.

LONG VERSION:

It is about several API users that retrieve an access token + refresh token with username and password. I am searching for a possibility to invalidate/logout both tokens for one specific API user having a valid access/refresh token.

I am lost trying to write a route for "logging out" the access token and the refresh token with the current refresh token a single user.

We do not use a SignInManager. I see several examples for that on the net. But I did not find anything that matches our simple in-memory-approach. The TokenManager has no SignOut methods.

The ConfigureServices() part on Startup.cs looks like this: 

services.AddDbContext<DbContext>(options =>
{
    options.UseInMemoryDatabase(nameof(DbContext));
    options.UseOpenIddict();
});

services.AddOpenIddict().AddCore(options =>
{
    options.UseEntityFrameworkCore().UseDbContext<DbContext>();
});

services.AddOpenIddict().AddServer(options =>
{
    options.UseMvc();

    options.EnableTokenEndpoint("/api/token").EnableLogoutEndpoint("/api/logout");

    options.AllowPasswordFlow();
    options.AllowRefreshTokenFlow();
    options.SetAccessTokenLifetime(TimeSpan.FromSeconds(60 * 60));
    options.SetRefreshTokenLifetime(TimeSpan.FromSeconds(7 * 24 * 60 * 60));
    options.RegisterScopes(OpenIdConnectConstants.Scopes.OfflineAccess);

    options.DisableHttpsRequirement();
    options.UseRollingTokens();
    options.AcceptAnonymousClients();
});

services.AddOpenIddict().AddValidation();

services.AddAuthentication(options =>
{
    options.DefaultScheme = OAuthValidationDefaults.AuthenticationScheme;
});

Retrieving access tokens and using the refresh tokens works perfectly fine.

But what do I use in the logout-route?

    [HttpGet]
    [Route("/api/logout")]
    public async Task<IActionResult> LogoutAsync(OpenIdConnectRequest logoutRequest)
    {
        // ???
    }

Trying sth. like the following shows me an almost empty logoutRequest parameter (everything is null and has only the Properties filled with the information that we have a logout_request. 

    [HttpGet]
    [Route("/api/logout")]
    public async Task<IActionResult> LogoutAsync(OpenIdConnectRequest logoutRequest)
    {
        var result = SignOut(OpenIdConnectServerDefaults.AuthenticationScheme);

        return result;
    }
iquellis
  • 979
  • 1
  • 8
  • 26
  • 1. Signout is not about to "invalidate" the token but to tell the client to remove that token. It's possible that clients store the token in javascript memory/browser's localStorage/ or anywhere..., so the server has no idea how the clients store the token. As a result, tutorials online don't show you how to sign out user. – itminus Dec 31 '19 at 07:57
  • 2. (too long to post in a single comment) Usually, we will define a signin scheme for remote authentication scheme. e.g. using the cookie scheme as the signin scheme. In that case, we can signout the cookie scheme by sending a set-cookie header. Since you didn't have such a signin cookie scheme, it's likely that you'll employ some javascript to remove the token when you want to sign out some user. – itminus Dec 31 '19 at 07:58
  • 1
    @itminus: At your first comment: I totally understand that. I want to give an API user the possibility to actively tell our server to invalidate his access + and refresh tokens that he got for username and password. I Updated the question with these details. – iquellis Dec 31 '19 at 08:37

0 Answers0