ASP.NET Identity - Are tokens always valid? (If so, how are they safe?)

Question

Background:

I have a mobile application that stores a users asp.net identity token (encrypted) for the back-end web API.

I managed to find myself in a situation where my debugging database was completely corrupted, so I dropped and recreated it using Migrations. As part of the Seed() method, the database gets populated with a single user, which has the same credentials as the last user, just a different ID and Security Stamp.

I've found that if I send any HTTP requests to the API using the token belonging to the now deleted user, without logging the new user in, the web API still grants me authentication.

Also, if I call any Identity functions on the current user, such as HttpContext.Current.User.Identity.GetUserId(); the old users information is returned.

Question:

So long as the token hasn't expired, will it always be valid? - Even if the user has been deleted / logged out?

(After some more digging about, I noticed that logging a user out, then sending a new request with the old token still works).

If this is by-design, how is this safe? (Is there anything I'm supposed to do as the developer to revoke tokens?)

Answer 1

Typically the token is only rejected if the validation interval has elapsed. At that time, it will check the token's security stamp and if it is still valid then it automatically refreshes the user's claims from the database, and if not will throw a not authenticated response.

If you want to propagate role changes immediately, then you need to change things up so it checks the database every time a request is made. See more on that here.