11

I would like to forcibly invalidate a Bearer Token that was issued by the default ApplicationOAuthProvider from the ASP.Net Web API2 project template.

The project has the below code, which doesn't work for Bearer tokens.

Authentication.SignOut(CookieAuthenticationDefaults.AuthenticationType);
Kara
  • 6,115
  • 16
  • 50
  • 57
Theo
  • 131
  • 1
  • 1
  • 6
  • You do this by storing tokens hashes and blacklisting them. see https://stackoverflow.com/a/58347757/631527 – Toolkit Oct 12 '19 at 14:06

1 Answers1

10

There's nothing built in for that - you could build your own mechanism for it which typically involves something like a database check on each request.

The other thing is, keep token lifetime short and use something like refresh tokens - see here: http://leastprivilege.com/2013/11/15/adding-refresh-tokens-to-a-web-api-v2-authorization-server/

leastprivilege
  • 18,196
  • 1
  • 34
  • 50
  • Many thanks. I think building my own mechanism would be best. I've noticed that generating another bearer token invalidates the previous one. So part of the logoff procedure could simply create another token that isn't returned to the user. – Theo Nov 18 '13 at 17:11
  • 9
    Not sure how you observed that behavior - but i cannot confirm that. – leastprivilege Nov 18 '13 at 20:22
  • 2
    @Theo, "generating another bearer token invalidates the previous one". That's not the default behavior of Bearer Tokens since they validate the token based on user info and system date. If they match those criteria, they are valid. – ericosg Nov 05 '15 at 16:40
  • crazy, i can't know which are the authorized apps and no way to disable them, what were they thinking? – Toolkit Apr 25 '18 at 16:11
  • Did you find a solution to this problem? I'm in the exact same situation currently and refuse to believe they didn't think of this issue when coding identity for web api's. – ObedMarsh Aug 04 '19 at 22:49