Unable to invalidate the Access and Refresh token even after revoke the token from the database

I am using Openiddict 2.0 and .Net 6 in our application and I need to invalidate the Acccess and Refresh token during logout. But I am not able to invalidate the token After using the RevokeAsync Method through OpenIddictTokenManager.Also, after manually deleted the token from the database I am able to access other API using that same token.

We have tried with few ways to invalidate the token which is mentioned below:

  1. I have used this below code to invalidate the token from database. It was got changed the status as revoked in the database table. But after still I am able to access the API using that access token.

    var openIddictToken = new OpenIddictToken();
    await _tokenManager.RevokeAsync(openIddictToken);
    
  2. I have used this code in the startup.cs to validate the token is valid or not. But that also did not work.

    .AddValidation(options =>
                     {
                         // Import the configuration from the local OpenIddict server instance.
                         options.UseLocalServer();
    
                         // Register the ASP.NET Core host.
                         options.UseAspNetCore();
    
                         // For applications that need immediate access token or authorization
                         // revocation, the database entry of the received tokens and their
                         // associated authorizations can be validated for each API call.
                         // Enabling these options may have a negative impact on performance.
                         options.EnableAuthorizationEntryValidation();
                         options.EnableTokenEntryValidation();
    
                     });
    

Please help me to find out with the proper solution to invalidate the access and refresh token at the time of logout.

Also is there a way to invalidate access token during logout using .net core?

  • Do you store access tokens in database? If not you cannot invalidate them

    – 

  • Another thing is logout doesn’t require tokens invalidation, you can just delete them on client side.

    – 




  • Hi @GeorgeKarlinzer , We are deleting the tokens from client side already. But the requirement is to invalidate the token and yes, we are storing the token in the database.

    – 

  • Then you can try add a custom event handler and execute custom validation logic (in your case, you can check if the token exists in database). I hope that question will help

    – 

I am using Openiddict 2.0 and .Net 6 in our application and I need to
invalidate the Acccess and Refresh token during logout. But I am not
able to invalidate the token After using the RevokeAsync Method
through OpenIddictTokenManager.Also, after manually deleted the token
from the database I am able to access other API using that same token.

OpenID Connect (OIDC) itself does not define a mechanism for token revocation. because it built on top of OAuth 2.0, which is primarily focused on authorization and access delegation. While OAuth 2.0 provides a token revocation mechanism, OIDC does not extend it to include its own revocation process.

In other words, These are self-contained and cannot be directly invalidated before their expiration.
Once its been issued, access tokens and ID tokens cannot be revoked in the same way as cookies with session IDs for server-side sessions.

So, based on your scenario and description you can should better issue the token for relatively short periods, and then refreshed periodically if the user remains active. No matter, if you save it into database or delete from there, it will still be validate until expiration.

Is there a way to invalidate access token during logout using .net
core?

No, there’s no such way, what you can do is, if you want to revoke a refresh token, send a POST request to https://{yourTokenIssuerURL/Domain}/oauth/revoke. The /oauth/revoke endpoint revokes the entire grant, not just a specific token.

In C# you can do as following:

var client = new RestClient("https://{yourTokenIssuerURL/Domain}/oauth/revoke");
var request = new RestRequest(Method.POST);
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{ \"client_id\": \"{yourClientId}\", \"client_secret\": \"{yourClientSecret}\", \"token\": \"{yourRefreshToken}\" }", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);

Note: Please refer to RFC 7009 official document about OAuth 2.0 Token Revocation mechanism

Leave a Comment