[英]Revoke refresh tokens when signing out from IdentityServer4
This my custom logout endpoint:这是我的自定义注销端点:
[HttpPost("logout")]
public async Task<IActionResult> LogoutAsync()
{
await _interaction.RevokeTokensForCurrentSessionAsync();
await HttpContext.SignOutAsync();
return Ok();
}
It removes IdentityServer cookies but if a user at this time has a refresh_token he still can use it after logout.它删除了 IdentityServer cookies 但如果此时用户有一个 refresh_token 他仍然可以在注销后使用它。 How to revoke all related refresh tokens?如何撤销所有相关的刷新令牌? I tried using IIdentityServerInteractionService.RevokeTokensForCurrentSessionAsync
but it doesn't work like expected.我尝试使用IIdentityServerInteractionService.RevokeTokensForCurrentSessionAsync
但它不像预期的那样工作。
Is your client a SPA?你的客户是SPA吗? If yes, delete the refresh_token from localstorage on logout action.如果是,请在注销操作时从 localstorage 中删除 refresh_token。
Also, you can make a POST request to this endpoint inside your custom logout function using HttpClient:此外,您可以使用 HttpClient 在自定义注销 function 中向此端点发出 POST 请求:
https://[Your_IdentityServer4_url]/connect/revocation
token_type_hint=refresh_token
client_id=[your_client_id]
client_secret=[your_client_secret]
token=[your_refresh_token]
Alternatively, you can use events to revoke refreshtoken on signout like this.或者,您可以像这样在注销时使用事件来撤销刷新令牌。
.AddCookie("cookie", options =>
{
options.Cookie.Name = "mvccode";
options.Events.OnSigningOut = async e =>
{
// revoke refresh token on sign-out
await e.HttpContext.RevokeUserRefreshTokenAsync();
};
})
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.