Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revoked token is still valid for UseLocalServer() configuration #2073

Closed
1 task done
dulibanarkadiusz opened this issue May 13, 2024 · 4 comments
Closed
1 task done

Revoked token is still valid for UseLocalServer() configuration #2073

dulibanarkadiusz opened this issue May 13, 2024 · 4 comments
Labels
question

Comments

@dulibanarkadiusz
Copy link

dulibanarkadiusz commented May 13, 2024
edited

Confirm you've already contributed to this project or that you sponsor it

  • I confirm I'm a sponsor or a contributor

Version

5.5.0

Describe the bug

Hello,
In some places of my application (e.g. logout endpoint) I perform a user token invalidation operation. It's easy to achieve using embedded method:
OpenIddictTokenManager.RevokeByAuthorizationIdAsync("74ebcdcf-2b11-422b-9efa-812afde2151e");

This way works 100% valid for introspection mechanism, however for UseLocalServer() something needs an improvement. The local server seems to store most of its information in cache. The application will remain insensitive to what is done with the token in the database.
Calling the token revocation method does not invalidate the token, the user can still perform operations in the application - as long as the access token has not exceeded its expiration date. This is inconsistent - using the introspection mechanism, tokens expire immediately after they are revoked and can no longer be used.

In my opinion, the UseLocalServer() method should update the application memory to invalidate the tokens immediately as well. Then the behavior of the package would be consistent - whether I use introspection or not.

To reproduce

services
.AddOpenIddict()
.AddCore(options =>
{
	options
		.UseEntityFrameworkCore()
		.UseDbContext<ApplicationDbContext>();
})
.AddServer(options =>
{
	// ...
})
.AddValidation(options =>
{
	options.UseLocalServer();
	options.UseSystemNetHttp();
	options.UseAspNetCore();
});

Exceptions (if any)

No response
@kevinchalet
Copy link
Member

Hi @dulibanarkadiusz,

GitHub doesn't recognize you as a sponsor. Did you use a different/corporate account to sponsor the project?

@dulibanarkadiusz
Copy link
Author

Try to check again now 😉

@kevinchalet
Copy link
Member

👍🏻

The behavior you're seeing is 100% expected and documented here:

TL;DR:

openiddict-core/sandbox/OpenIddict.Sandbox.AspNetCore.Server/Startup.cs

Lines 191 to 197 in 87715ec

// For applications that need immediate access token or authorization
// revocation, the database entry of the received tokens and their
// associated authorizations can be validated for each API call.
// Enabling these options may have a negative impact on performance.
//
// options.EnableAuthorizationEntryValidation();
// options.EnableTokenEntryValidation();

@kevinchalet kevinchalet added question and removed bug labels May 13, 2024
@kevinchalet
Copy link
Member

Doing some housecleaning, but feel free to reopen if you need additional details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kevinchalet @dulibanarkadiusz