Hi Team,
We have implemented access and refresh tokens in our application, and all standard validations are in place.
However, we’ve observed that even after logging out, the original access token obtained during login remains valid and can still be used for API calls until it naturally expires.
We would like to explicitly mark the access token as expired or revoked during logout to prevent any further usage. Could you please advise how we can achieve this within the ABP.IO and OpenIddict setup?
Looking forward to your guidance.
1 Answer(s)
-
0
To explicitly invalidate or revoke access tokens on logout in an ABP.IO application using OpenIddict, you need to implement token revocation logic, as JWT access tokens are typically stateless and remain valid until expiration unless actively revoked.
Here’s how you can achieve this:
Enable Token Revocation in OpenIddict:
- OpenIddict supports token revocation via its built-in endpoints. When a user logs out, you should call the revocation endpoint to invalidate the access (and optionally refresh) token.
Call the Revocation Endpoint on Logout:
- When handling logout, send a request to the
/connect/revocationendpoint with the token to be revoked. This can be done from your client or server-side code.
Example HTTP request:
POST /connect/revocation Content-Type: application/x-www-form-urlencoded token={access_token}&token_type_hint=access_token&client_id={client_id}&client_secret={client_secret}- When handling logout, send a request to the
Custom Logic with OpenIddict Events (Optional):
- You can hook into OpenIddict events to add custom logic during sign-out, such as logging or additional cleanup. For example, implement a handler for
OpenIddictServerEvents.ProcessSignOutContext.
public class SignOutEventHandler : IOpenIddictServerHandler<OpenIddictServerEvents.ProcessSignOutContext> { public static OpenIddictServerHandlerDescriptor Descriptor { get; } = OpenIddictServerHandlerDescriptor.CreateBuilder<OpenIddictServerEvents.ProcessSignOutContext>() .UseSingletonHandler<SignOutEventHandler>() .SetOrder(100_000) .SetType(OpenIddictServerHandlerType.Custom) .Build(); public ValueTask HandleAsync(OpenIddictServerEvents.ProcessSignOutContext context) { // Custom logic here (e.g., revoke tokens) return ValueTask.CompletedTask; } }Register the handler in your module:
public override void PreConfigureServices(ServiceConfigurationContext context) { PreConfigure<OpenIddictServerBuilder>(serverBuilder => { serverBuilder.AddEventHandler(SignOutEventHandler.Descriptor); }); }- You can hook into OpenIddict events to add custom logic during sign-out, such as logging or additional cleanup. For example, implement a handler for
Considerations:
- If you use JWTs as access tokens, revocation is only effective if your APIs check the token’s status (e.g., via introspection or a token blacklist) because JWTs are otherwise self-contained and valid until expiry.
- For more immediate revocation, consider using reference tokens (opaque tokens) instead of JWTs, as their validity is checked against the server on each request.
Summary:
- Use the OpenIddict revocation endpoint to revoke tokens on logout.
- Optionally, implement custom event handlers for additional logic.
- For JWTs, consider switching to reference tokens for strict revocation needs.
Sources:
- ABP OpenIddict Module Documentation
- OpenIddict Events Model
- Customizing Authentication Flow with OpenIddict Events in ABP
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
