stackoom
  简体   繁体   中英

How to revoke the access and refresh token in Oauth2.0?

 原文  2018-02-21 09:13:08       oauth-2.0/ identityserver4

Question

I've used this method for revoke the token. But the access token and refresh token again reusable. How to revoke the access and refresh token?

public async Task<IActionResult> Revoke(string 
   refreshToken,stringaccessToken){
    var identityService = await 
    DiscoveryClient.GetAsync("http://localhost:5000");

    var revocationClient = new 
    TokenRevocationClient(identityService.RevocationEndpoint, "ro.client", 
    "secret"); 
    var response = await 
    revocationClient.RevokeRefreshTokenAsync(refreshToken); 
               var response1 = await 
    revocationClient.RevokeAccessTokenAsync(accessToken);
}

3 answers

solution1
 1  2018-02-21 10:42:28

Only reference and refresh tokens can be revoked in this way. JWTs are valid until their exp time unless you build additional logic into the consumer.

solution2
 0  2018-02-22 08:50:03

My company, who provide software for managing investment banking assets, use the following separation:

API CREDENTIALS

  • Access tokens are for calling APIs from UIs
  • They have a short lifetime of 30 minutes
  • They are JWTs and do not need to be revoked since they are short lived

USER SESSIONS

  • These are represented by a refresh token
  • The refresh token for a UI might last for 8 hours
  • Every 30 minutes the access token expires and is silently renewed
  • Refresh tokens are stored in a database
  • An IT administrator can revoke a refresh token by deleting it from the DB
  • This will force a new login after no more than 30 minutes

REVOCATION PROCESS

  • Typically the IT administrator will want to use context when revoking a refresh token, such as Application Id, User Id and Time Issued

  • So if you are providing a UI for revocation you might want to provide fields such as the above

solution3
 0  2018-02-25 10:49:46

refresh tokens are only used for desktop / mobile apps or for server side web apps.

For a true browser app (single page app) you can't use refresh tokens. You can still separate API credential time from User Session time though.

There are some notes on my blog around sessions, in case they help:

  • OAuth Token Renewal Messages

  • I'm not covering server side web apps but basically they carry the refresh token around in the authentication cookie

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question how to refresh or revoke OAuth2.0 access/refresh_token, when no refresh token available? How to revoke a token in Discord OAuth2.0? How to use refresh token in Oauth2.0? Refresh token in Oauth2.0 oauth2.0 how to pass access token How to request an access token with OAuth2.0? Google OAuth2.0 refresh access_token How to re generate access_token in Oauth2.0 with refresh_token Usage of Refresh Token in OAuth2.0 OAuth2.0 - maximum requests for refresh token
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM