-
-
Notifications
You must be signed in to change notification settings - Fork 481
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revoked token is still valid for UseLocalServer()
configuration
#2073
Comments
GitHub doesn't recognize you as a sponsor. Did you use a different/corporate account to sponsor the project? |
Try to check again now 😉 |
👍🏻 The behavior you're seeing is 100% expected and documented here:
TL;DR: openiddict-core/sandbox/OpenIddict.Sandbox.AspNetCore.Server/Startup.cs Lines 191 to 197 in 87715ec
|
Doing some housecleaning, but feel free to reopen if you need additional details. |
Confirm you've already contributed to this project or that you sponsor it
Version
5.5.0
Describe the bug
Hello,
In some places of my application (e.g. logout endpoint) I perform a user token invalidation operation. It's easy to achieve using embedded method:
OpenIddictTokenManager.RevokeByAuthorizationIdAsync("74ebcdcf-2b11-422b-9efa-812afde2151e");
This way works 100% valid for introspection mechanism, however for
UseLocalServer()
something needs an improvement. The local server seems to store most of its information in cache. The application will remain insensitive to what is done with the token in the database.Calling the token revocation method does not invalidate the token, the user can still perform operations in the application - as long as the access token has not exceeded its expiration date. This is inconsistent - using the introspection mechanism, tokens expire immediately after they are revoked and can no longer be used.
In my opinion, the UseLocalServer() method should update the application memory to invalidate the tokens immediately as well. Then the behavior of the package would be consistent - whether I use introspection or not.
To reproduce
Exceptions (if any)
No response
The text was updated successfully, but these errors were encountered: