[英]How to revoke the access and refresh token in Oauth2.0?
I've used this method for revoke the token.我已使用此方法撤销令牌。 But the access token and refresh token again reusable.
但是访问令牌和刷新令牌再次可重用。 How to revoke the access and refresh token?
如何撤销访问和刷新令牌?
public async Task<IActionResult> Revoke(string
refreshToken,stringaccessToken){
var identityService = await
DiscoveryClient.GetAsync("http://localhost:5000");
var revocationClient = new
TokenRevocationClient(identityService.RevocationEndpoint, "ro.client",
"secret");
var response = await
revocationClient.RevokeRefreshTokenAsync(refreshToken);
var response1 = await
revocationClient.RevokeAccessTokenAsync(accessToken);
}
Only reference and refresh tokens can be revoked in this way.只能以这种方式撤销引用和刷新令牌。 JWTs are valid until their exp time unless you build additional logic into the consumer.
JWT 在它们的 exp 时间之前一直有效,除非您在消费者中构建额外的逻辑。
My company, who provide software for managing investment banking assets, use the following separation:我公司提供管理投资银行资产的软件,采用如下分离方式:
API CREDENTIALS API 凭证
USER SESSIONS用户会话
REVOCATION PROCESS撤销程序
Typically the IT administrator will want to use context when revoking a refresh token, such as Application Id, User Id and Time Issued通常,IT 管理员在撤销刷新令牌时希望使用上下文,例如应用程序 ID、用户 ID 和发布时间
So if you are providing a UI for revocation you might want to provide fields such as the above因此,如果您提供用于撤销的 UI,您可能需要提供诸如上述的字段
refresh tokens are only used for desktop / mobile apps or for server side web apps.刷新令牌仅用于桌面/移动应用程序或服务器端 Web 应用程序。
For a true browser app (single page app) you can't use refresh tokens.对于真正的浏览器应用程序(单页应用程序),您不能使用刷新令牌。 You can still separate API credential time from User Session time though.
不过,您仍然可以将 API 凭证时间与用户会话时间分开。
There are some notes on my blog around sessions, in case they help:我的博客上有一些关于会话的笔记,以防万一它们有帮助:
I'm not covering server side web apps but basically they carry the refresh token around in the authentication cookie我没有涵盖服务器端 Web 应用程序,但基本上它们在身份验证 cookie 中携带刷新令牌
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.