{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 来,给爷笑一个 的问题《Access token revocation implementation in OAuth 2》','https://www.manongdao.com/q-295387.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I've used OWIN OAuth 2 to implement my Authorization Server Provider. Now, I want to implement token revocation (when my client application wants to logout).
Can anybody help me and tell how to implement token revocation in OWIN KATANA OAuth 2. Are there some good practices for it?
相关问题
- Design RESTful service with multiple ids
- Axios OPTIONS instead of POST Request. Express Res
- Plain (non-HTML) error pages in REST api
- Laravel 5.1 MethodNotAllowedHttpException on store
- Register MicroServices in Azure Active Directory (
相关文章
- 在DotNetFx Owin 环境下调用 opencc.dll 报错
- Using JAX-WS 2.2.5 client with JDK/JRE 1.5
- Cannot use org.jvnet.jax-ws-commons.jaxws-maven-pl
- Got ActiveRecord::AssociationTypeMismatch on model
- Multiple parameters in AngularJS $resource GET
- How to create base64Binary data?
- Global Exception Handling in Jersey & Spring?
- Are there any public UDDI registries available?
There are two kinds of token involved in OAuth 2.0. One is access token and the other is refresh token.
For refresh token, I really recommend Token Based Authentication using ASP.NET Web API 2, Owin, and Identity written by Taiseer Joudeh. He provides a step by step tutorial on setting up token based authentication, including revoking refresh token.
For access token, I use a black list to store revoked access tokens. When a user logins out, I add the user's current access token into a black list. And if a new request comes, I first check whether its access token is in the black list. If yes, reject the request, other wise let OAuth component do the validation.
Here are some implementation details:
I use cache to work as a black list and set cache item's expiration to the access token's expiration. The cache item (access token) will be removed from black list automatically after it expires. (We don't need to keep the access token in the black list after it expires. If the token expires, no matter whether it's in the black list or not, it can't pass OAuth validation mechanism).
The following code shows how to reject a request if its access token is in the black list.
What I do is if I find the access token in black list, I set the access token to empty string. Later, when the OAuth component tries to parse the token, it finds out that the token is empty. Definitely, an empty string isn't a valid token, so it will reject the request, just like you send a request with an invalid access token.
According to OAuth 20 RFC, refresh token is not used to revoke a token - refresh "access tokens may have a shorter lifetime and fewer permissions than authorized by the resource owner". Refresh token is used to increase the life-span of an access token or to renew the old access token with a new one that will expire later. That's usually used to prevent asking the user for his/her credentials once again. In order to revoke a token, the OAuth20 provider should expose such a WS/endpoint or some other mechanism.
Refresh tokens is how OAuth2 allows for authorization revocation. Microsoft's OAuth2 authorization server middleware is lacking in this regard:
http://leastprivilege.com/2014/03/24/the-web-api-v2-oauth2-authorization-server-middlewareis-it-worth-it/