Open Closed

Access tokens still valid after being revoked #5506


User avatar
0
tjinc created
  • ABP Framework version: v7.2.1
  • UI Type: Angular
  • Database System: EF Core
  • Tiered (for MVC) or Auth Server Separated (for Angular): yes (Auth Server Separated - OpenIdDict)
  • Exception message and full stack trace:
  • Steps to reproduce the issue:
    • Login as a user to generate an active access token and refresh token.
    • Logout to revoke the tokens.
  • Expected behaviour: The access token can no longer be used, giving a 401 error if used.
  • Actual behaviour: The user is still able to make requests with the revoked access token.

We have tried to write middleware as a workaround for this issue, however ran into problems when dealing with impersonating a tenant/user. Furthermore, the tokens are not revoked if a user is logged in and has "isActive" set false. The suggested behaviour here is that such a user should be logged out and that their tokens are revoked (Note that we are using OpenIdDict tokens).


1 Answer(s)
  • User Avatar
    0
    Anjali_Musmade created
    Support Team Support Team Member

    Hi,

    The logout doesn't invalidate the access token.it just sign out the currently authenticated user, which involves clearing the authentication cookie and related session data. However, it does not directly deal with revoking access tokens issued by an OpenID Connect.

    You can either achieve by a approach is to issue short-lived access tokens. By making access tokens expire relatively quickly, you can achieve a similar effect to revocation. Clients would need to request a new access token using the refresh token or by re-authenticating once the access token expires.

    Also please refer to this discussion : https://github.com/openiddict/openiddict-core/issues/191.

Made with ❤️ on ABP v9.1.0-preview. Updated on December 05, 2024, 12:19