I've used this method for revoke the token. But the access token and refresh token again reusable. How to revoke the access and refresh token?
public async Task<IActionResult> Revoke(string
refreshToken,stringaccessToken){
var identityService = await
DiscoveryClient.GetAsync("http://localhost:5000");
var revocationClient = new
TokenRevocationClient(identityService.RevocationEndpoint, "ro.client",
"secret");
var response = await
revocationClient.RevokeRefreshTokenAsync(refreshToken);
var response1 = await
revocationClient.RevokeAccessTokenAsync(accessToken);
}
Only reference and refresh tokens can be revoked in this way. JWTs are valid until their exp time unless you build additional logic into the consumer.
My company, who provide software for managing investment banking assets, use the following separation:
API CREDENTIALS
USER SESSIONS
REVOCATION PROCESS
Typically the IT administrator will want to use context when revoking a refresh token, such as Application Id, User Id and Time Issued
So if you are providing a UI for revocation you might want to provide fields such as the above
refresh tokens are only used for desktop / mobile apps or for server side web apps.
For a true browser app (single page app) you can't use refresh tokens. You can still separate API credential time from User Session time though.
There are some notes on my blog around sessions, in case they help:
I'm not covering server side web apps but basically they carry the refresh token around in the authentication cookie
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.