Identityserver4: Signout of Identity server doesn't invalidate the tokens

Created on 22 Jun 2020 · 3Comments · Source: IdentityServer/IdentityServer4

Question

Once I logout of identity server the access token issued still remain valid. Is this the intended way? Does the Identity server not automatically revoke the tokens once a user is logged out?

Minimal working example

   // <code goes here>

Relevant parts of the log file

   <log goes here>

question wontfix

Source

Aravind1729

Most helpful comment

I assume you are using a self contained access token (like a JWT). In that case the access tokens are not being 'revoked' by IdentityServer. Self contained tokens mean that that all the claims (like expiration date) are stored in the token and the token is protected with a signature.

You can either keep the lifetime of your access token small and revoke the users refresh tokens when logging out or use reference tokens instead of self contained access tokens.

Or maybe you can signal a sign out to your clients, but this may not always work.

wterpstra on 22 Jun 2020

👍2

All 3 comments

You can either keep the lifetime of your access token small and revoke the users refresh tokens when logging out or use reference tokens instead of self contained access tokens.

Or maybe you can signal a sign out to your clients, but this may not always work.

wterpstra on 22 Jun 2020

👍2

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Questions are community supported only and the authors/maintainers may or may not have time to reply. If you or your company would like commercial support, please see here for more information.