StuFrankish
commented
1 year ago This documentation might be of some help to you. https://docs.duendesoftware.com/identityserver/v5/ui/logout/notification https://docs.duendesoftware.com/identityserver/v5/reference/models/client/#authentication--session-management
When a session is revoked, Identity Server can use the information in the session to determine which clients to send a notification to. Those clients can ingest and act upon that notification to log the user out.
kkdeveloper7
brockallen
Which version of Duende IdentityServer are you using? 6.1.0 Which version of .NET are you using? dotnet6
Question I have a question about revocation of an access token and/or refresh token. When token is revoked, consuming application will have no knowledge of revocation of access token and it will just keep validating it against local configuration on how it should be validated.
I did some digging around and was unable to locate a standard approach how to handle this. Reaching out to identity server context and checking against database if the token was revoked does not seem to be a scalable solution? Another potential solution I was thinking about is to track all of this in our wrapping service that we have around
Identity Serverto keep track of this and track revocation token there. However, reaching out to it on every request also does not seem to be efficient and will have a delay in notification of revocation if that responses are cached.Any thoughts on this? Thank you.