0

I deployed a web app in azure with authorization/authentication being set-up. Once you logged in the web app you would be able to get the token using:

https:{webappname}.azurewebsites.com/.auth/me

then i tried to get the token and used it in postman using AUTHORIZATION header and it worked i was able to access the site with postman using that token. Now my concerns in after i logged out using:

https:{webappname}.azurewebsites.com/.auth/logout

I can still access the site using the token that i got recently. can someone explain why is this happening.

Thanks :D

bermz kastral
  • 93
  • 2
  • 8
  • That's happening because logout isn't necessarily invalidating the token. You could try to maintain a custom list on server for such invalid tokens. There are other SO posts with similar discussion so I'm not adding a new answer here. Take a look - https://stackoverflow.com/questions/34744454/azure-mobile-service-active-directory-authentication-x-zumo-auth-token-valid-in?lq=1 and here's another popular one https://stackoverflow.com/questions/21978658/invalidating-json-web-tokens – Rohit Saigal Sep 19 '18 at 11:36
  • @RohitSaigal Thanks. – bermz kastral Sep 20 '18 at 10:19
  • @bkastral you're welcome. Initially I thought I'm definitely going to find a duplicate for this one, but I guess I was wrong.. on searching a few times I couldn't really find anything with similar title :) I'm adding the comment as an answer for any future references. – Rohit Saigal Sep 21 '18 at 01:13

1 Answers1

0

That's happening because logout isn't necessarily invalidating the token.

In order to do something at your end, you could try to maintain a custom list on server for such invalid tokens.

Please look at these two SO posts discussing in a lot more detail.

Rohit Saigal
  • 9,317
  • 2
  • 20
  • 32