2

I have Azure Mobile Service and AD set up for authentication.

Log out and login works perfectly through mobile app.

AD application reply url is https://test.azure-mobile.net/signin-aad

client = new MobileServiceClient (applicationURL, applicationKey);

var authResult = await client.LoginAsync(this, MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory);

var data = await client.InvokeApiAsync("testAPI", HttpMethod.Get, null); //Works

client.Logout(); // LOGOUT

var data = await client.InvokeApiAsync("testAPI", HttpMethod.Get, null); //Unauthorized Error at mobile side. Request not going to API

This working is perfect.

But if I copy the token from authResult after LOGOUT, I can use same token to call API from postman.

Header: X-ZUMO-AUTH → token

How I can validate the token? Any setting needed at Azure Mobile Service Side to validate and prevent this?

Soner Gönül
  • 97,193
  • 102
  • 206
  • 364
Snehal R. Todkar
  • 61
  • 6

1 Answers1

3

When you log out on the client, the auth token is removed from the client but nothing is communicated to the server to indicate that this token is now invalid. So if the token is stored off somewhere else and re-used, it will still be valid until it expires.

I'm not sure there's a good way to do this. You could reset the site's master key but that invalidates all other tokens, so that's not really a viable option. You could store a list of invalid tokens on the server and check them with each request, but that adds a lookup with each request.

Here's another question with a similar answer and a couple other links: Logout/invalidate a JWT

Community
  • 1
  • 1
brettsam
  • 2,702
  • 1
  • 15
  • 24
  • How to check invalid tokens on the server? – Snehal R. Todkar Jan 13 '16 at 05:27
  • 1
    You'd need to create an ApiController that takes a token and adds it to some kind of storage (database, Azure Tables, etc). When a client logs out, you also need to send the token to this new Controller for it to be logged as invalid. Then with each request that comes in, you'd check if the token existed there. If it did, then the token is invalid. You could remove them after the expiration has passed. See #2 from this answer: http://stackoverflow.com/a/23089839/3516125. Other searches for 'invalidate JWT' will give you some other approaches. – brettsam Jan 13 '16 at 15:09