0

I am using this library https://github.com/openiddict/openiddict-core and implemented the oAuth token flow. 

 // Register the OpenIddict services.
    // Note: use the generic overload if you need
    // to replace the default OpenIddict entities.
    services.AddOpenIddict(options =>
    {
        // Register the Entity Framework stores.
        options.AddEntityFrameworkCoreStores<ApplicationDbContext>();

        // Register the ASP.NET Core MVC binder used by OpenIddict.
        // Note: if you don't call this method, you won't be able to
        // bind OpenIdConnectRequest or OpenIdConnectResponse parameters.
        options.AddMvcBinders();

        // Enable the token endpoint (required to use the password flow).
        options.EnableTokenEndpoint("/connect/token");

        // Allow client applications to use the grant_type=password flow.
        options.AllowPasswordFlow();

        // During development, you can disable the HTTPS requirement.
        options.DisableHttpsRequirement();
    });

Mostly everything is working. I also included RoleManager along with it and roles are being stored in token as well using this:

 var principal = await _signInManager.CreateUserPrincipalAsync(user);

            foreach (var claim in principal.Claims.Where(c => c.Type == OpenIdConnectConstants.Claims.Role))
            {
                claim.SetDestinations(OpenIdConnectConstants.Destinations.AccessToken, OpenIdConnectConstants.Destinations.IdentityToken);
            }

So far everything is done. After that admin user goes and modified the role to make him Supervisor etc. At this point of role change I want to make the previous tokens invalid. Is this possible in the library because at the moment he is able to use old token which has "Maid" role and is incorrect because somebody just changed his role to "Supervisor". In this case I want that when client sends old token it should not be treated as valid and should be sent back to login page.

How do I handle this in OpenIDDict library?

Tim Liberty
  • 2,099
  • 4
  • 23
  • 39
  • Token is passed with each request from the client app, which gets it in return e.g. for credentials. So if roles change on the server the client app has to know about it and request a new token (which will include new roles). So you should push some notification to the client so that it gets a new token (preferably behind the scenes without logging out the user). In general I'd say it's OK the user doesn't get new role immideatelly. For this he, IMHO, has to log in again and start a new session. – Maxim Zabolotskikh Feb 13 '18 at 07:04
  • @MaximZabolotskikh: Rather than relying on push notifications I would want that the token is invalidation and the client should see login page if he sends over old token. Is this psosible? – Tim Liberty Feb 13 '18 at 08:33
  • I think this one is a similar question: https://stackoverflow.com/questions/21978658/invalidating-json-web-tokens. Also as an option you can include date/time when the token was issued + on token validate stage you can compare one with date when user information changed. For example, token was issue on 01.01.2001 13:00 and user got a new role on 01.01.2001 13:10. So you can just compare these two dated and tell that token is not valid anymore. As one more option you can try to use kind of e-tags or so. Anyway, I believe the main idea must be clear now. – Igor Gnedysh Feb 13 '18 at 08:45

0 Answers0