Force user sign out from server without user interaction?

[remus-corneliu]

I have a requirment in which I have to sign out some user to which a jwt was emitted, but without the user having to know about this (so somehow to invalidate a token or to force the user to login again)

Following is the scenario. Say I am assigned some roles and I sign in into the system and the system generates a jwt for me to which it attaches my roles, but does not keep any reference to it anywhere or any other mechanism to identify it. The token is dealt and that is it. Now a 2nd user that has admin rights can go ahead and remove some of the roles that I have, but since I already have a valid token I can still use it till it expires and still can get accees according to old roles list to parts of the system that I shouldn't have rights to access.

This is my issue, the requirment is to not keep any reference to identify a token in the system, so I have no idea how can I overcome this issue.

[leastprivilege]

Important update

This organization is not maintained anymore besides critical security bugfixes (if feasible). This organization will be archived when .NET Core 3.1 end of support is reached (3rd Dec 2022). All new development is happening in the new Duende Software organization.

The new Duende IdentityServer comes with a commercial license but is free for dev/testing/personal projects and companies or individuals making less than 1M USD gross annnual revenue. Please get in touch with us if you have any question.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Questions are community supported only and the authors/maintainers may or may not have time to reply. If you or your company would like commercial support, please see here for more information.

[github-actions[bot]]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.