当用户密码更改时，IdentityServer会话和访问令牌无效

Question

I'm using IdentityServer4 in ASP.NET Core 2.2. The client application (RP) is an API, also an ASP.NET Core 2.2 application. The user logs in using the authorization code flow and gets a cookie from IdentityServer ( idsrv ). They then get an authorization code and and access token for the API (RP).

I want to be able to revoke a user's existing login session and access tokens in some cases, eg if their password has been reset. In IdentityServer I've implemented added my own authentication scheme:

            .AddCookie("MyAuthenticationScheme", options =>
            {
                options.SessionStore = new MyTicketStore();
                options.EventsType = typeof(MyCookieAuthenticationEvents);
            })

This allows me to invalidate the user's IdentityServer session on the server before the authentication ticket expires. For example, when the user is signed in I add a claim that stores the date their password was last changed and in MyCookieAuthenticationEvents.ValidatePrincipal() I check that it has not been changed since, as suggested on https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-2.2#react-to-back-end-changes

I want to do the same with the access token they use the access the RP. If the user's password has changed (and in some other cases) I want the access token to be invalidated immediately, rather than waiting for it to expire. I'm using reference tokens and have implemented IProfileService and ICustomTokenValidator . In IProfileService.GetProfileDataAsync I copy the password change date claim to the access token claims collection and in ICustomTokenValidator.ValidateAccessTokenAsync I again check that claim against the real user.

This works, but it seems quite convoluted and complicated and I wonder if there is a simpler way to accomplish this - it seems like this should be a common requirement.

Answer 1

如果您正在使用引用令牌，那么为了使令牌无效，您需要的只是将其从您拥有的IPersistedGrantStore任何实现中删除，并且下次尝试通过内省验证引用令牌时，它将无效，因为它将不会更长的存在。