Open Closed

ABP Log in and then log out the token problem #9622


User avatar
0
1198462239 created

When revoking a Token, do we need to first enable the persistent token feature of OpenIddict? If so, are there any other methods to cancel the Token? I don't want to accomplish this by converting the Token into a Guid.

Currently, I have not enabled persistence. The call to /connect/revocation returns a 200 status code, but the token has not been invalidated.


4 Answer(s)
  • User Avatar
    0
    AI-Bot created
    Support Team ABP Agent

    To revoke (invalidate) a token using the /connect/revocation endpoint in ABP's OpenIddict integration, you must enable the persistent token feature. By default, OpenIddict does not persist tokens unless you configure it to do so. Without persistence, the revocation endpoint cannot find and invalidate the token, so the token remains valid even though the endpoint returns a 200 status code.

    Key Points:

    • Token revocation requires token persistence. You need to enable the OpenIddict token storage feature so that tokens are saved in the database.
    • If you do not enable persistence, the /connect/revocation endpoint cannot actually revoke tokens, even though it returns a success response.
    • There is no supported way to revoke tokens without persistence, and you do not need to convert the token into a Guid. The persistence mechanism handles token identification and revocation.

    How to enable token persistence:

    1. Ensure you have installed the OpenIddict Entity Framework Core stores or another supported store.
    2. Configure OpenIddict to use the token store in your module:
    services.AddOpenIddict()
           .AddCore(options =>
           {
               options.UseEntityFrameworkCore()
                      .UseDbContext<YourDbContext>();
           });
    
    1. Run the necessary database migrations to create the token tables.

    After enabling persistence, token revocation via /connect/revocation will work as expected.

    Sources:

    • https://abp.io/docs/latest/modules/openiddict

    This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    but the token has not been invalidated.

    Do you mean that you can still call the API using this JWT token?

    Thanks.

  • User Avatar
    0
    1198462239 created

    Yes Manually copy the token and then log out. You can still call the API using the token.

    Is there a way to prevent the access of the logout token without using a persistent database?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    JWT tokens cannot be revoked before they expire by default.

    You can consider using ABP's session feature. Revoke a session will make the JWT invalid. https://abp.io/docs/latest/modules/identity/session-management


    You can also create your own JWT authentication logic. Add revoked tokens to Redis, and after the API verifies the token, also check Redis.

      context.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
        .AddAbpJwtBearer(options =>
        {
            options.Authority = configuration["AuthServer:Authority"];
            options.RequireHttpsMetadata = configuration.GetValue<bool>("AuthServer:RequireHttpsMetadata");
            options.Audience = "MyProjectName";
    
            options.TokenHandlers.Clear();
            options.TokenHandlers.Add(new MyJsonWebTokenHandler());
    
        });
    
    using System.Threading.Tasks;
    using Microsoft.IdentityModel.JsonWebTokens;
    using Microsoft.IdentityModel.Tokens;
    
    namespace MyCompanyName.MyProjectName;
    
    public class MyJsonWebTokenHandler : JsonWebTokenHandler
    {
        public override async Task<TokenValidationResult> ValidateTokenAsync(SecurityToken token, TokenValidationParameters validationParameters)
        {
            var result = await base.ValidateTokenAsync(token, validationParameters);
            if (result.IsValid)
            {
                var rawToken = token.ToString();
    
                // Custom logic after token validation
            }
    
            return result;
        }
    }
    
    
Boost Your Development
ABP Live Training
Packages
See Trainings
Mastering ABP Framework Book
The Official Guide
Mastering
ABP Framework
Learn More
Mastering ABP Framework Book
Made with ❤️ on ABP v10.0.0-preview. Updated on September 01, 2025, 08:37