Closed kkdeveloper7 closed 1 year ago
This documentation might be of some help to you. https://docs.duendesoftware.com/identityserver/v5/ui/logout/notification https://docs.duendesoftware.com/identityserver/v5/reference/models/client/#authentication--session-management
When a session is revoked, Identity Server can use the information in the session to determine which clients to send a notification to. Those clients can ingest and act upon that notification to log the user out.
This documentation might be of some help to you. https://docs.duendesoftware.com/identityserver/v5/ui/logout/notification https://docs.duendesoftware.com/identityserver/v5/reference/models/client/#authentication--session-management
When a session is revoked, Identity Server can use the information in the session to determine which clients to send a notification to. Those clients can ingest and act upon that notification to log the user out.
Thank you! It looks like Back Channel Notification
is something that I am looking for. Is there a specification on how this needs to be implemented? We would have to notify multiple microservices that user has been logged out so they can cache the access_token
in their black list for x amount of minutes to prevent replay attacks on those tokens that are not yet expired.
Is there a specification on how this needs to be implemented?
The spec for back channel logout is here: https://openid.net/specs/openid-connect-backchannel-1_0.html
We do have a sample here: https://docs.duendesoftware.com/identityserver/v6/samples/basics/#mvc-client-with-back-channel-logout-notifications
Which version of Duende IdentityServer are you using? 6.1.0 Which version of .NET are you using? dotnet6
Question I have a question about revocation of an access token and/or refresh token. When token is revoked, consuming application will have no knowledge of revocation of access token and it will just keep validating it against local configuration on how it should be validated.
I did some digging around and was unable to locate a standard approach how to handle this. Reaching out to identity server context and checking against database if the token was revoked does not seem to be a scalable solution? Another potential solution I was thinking about is to track all of this in our wrapping service that we have around
Identity Server
to keep track of this and track revocation token there. However, reaching out to it on every request also does not seem to be efficient and will have a delay in notification of revocation if that responses are cached.Any thoughts on this? Thank you.