Hi @fahrigedik,
Can you create a github repo and post your project there.
Hello Team,
Thanks for confirming that AuthService.login() only supports JWT-based flows.
However, our **main concern is not just login, but secure revocation of access tokens during logout or re-login. This is a critical requirement for us.
We’ve already raised another ticket related to this: How-to-Invalidate-Access-Token-on-Logout https://abp.io/support/questions/9531/How-to-Invalidate-Access-Token-on-Logout#answer-3a1abddd-345b-38e4-45e8-b809897a59ba
We’ve implemented token revocation correctly at the backend using OpenIddict.
But since we're using JWT tokens, the token is still considered valid on the resource server after revocation, because:
We need guidance on:
Looking forward to your input, as this is urgent and security-critical for us. Please let me know if can have a call so that can share the code.
Thanks
Hi @maliming,
Thanks for the clarification. We are using access token + refresh token flow to minimize the damage (If any case the JWT token is stolen).
Still, can you help with some examples of adding X-Session-Id, HttpOnly cookie in ABP.IO.
OR is there a way to bind token to specific device.
Hi @maliming
We have done security testing with some third party, and they have given this recommendation that in case access token can be spoofed or stolen then we must allow access token from valid user/device.
Please can you guide if implementing such case is possible or not.
Hi @maliming
No we don;t have this scope in our environement.ts file.
Thanks a lot @maliming
I will ensure that we are using common protective measures.
However, in our application tokens are short lived and this is impacting
Could you please provide guidance or share an example of how to implement access token + refresh token flow within ABP.IO (Angular + .NET Core backend)? Please note we had recently migrated from IdentityServer to OpenIddict.
hi
access tokens issued for one user can potentially be used by another user to make API requests.
Why can one user's token be obtained by another user? How did he get it?
Thanks
Hi @maliming
Let me clarify the context further, here is my updated reply:
During our recent security and penetration testing, we identified a critical vulnerability related to token validation. Specifically, an access token issued for one user can be used by another user or system to access protected resources. This token reuse issue represents a serious security risk.
We must address this immediately to prevent potential misuse and ensure secure access to our application.
Please guide on all the possible options. How to achieve followings:
Thanks
Thanks @enisn
One more thing, we are using ILocalEvent to track the entity changes and in the local event handler we are further publishing the IDistributedEventBus. Would this still be causing performance issues.
`MyEntityStatusChangedEventHandler: ILocalEventHandler<EntityCreatedEventData<MyEntity>>
{
//Handling local event
public async Task HandleEventAsync(EntityCreatedEventData<MyEntity> entityCreatedData)
{
//Publishing Distrubuted event
await _distributedEventBus.PublishAsync(new CustomDataEto
{
//set properties
CustomDataEto.Data = MyEntity.Data;
}
}
}`
Also, what if we use new transaction scope using IUnitOfWorkManager.
Hi @maliming
Thank you for your response.
in this case how can I schedule Background job to run on monthly basis on a specific time such as EOD (I am bound to not use hangfire or any other lib as of now). Please can you come up with an example?
Thanks!
Thank you for the quick response.
