robisim74 / AngularSPAWebAPI

Angular Single Page Application with an ASP.NET Core Web API that uses token authentication
MIT License
231 stars 59 forks source link

Sign out functionality not working correctly #9

Closed pwen090 closed 7 years ago

pwen090 commented 7 years ago

Hello, first thank you so much for your effort on this sample project.

I was reviewing it as in my own implementation of Angular+IdentityServer I am having trouble making the Sign Out functionality fully sign out a user and I was hoping this project was doing that successfully but it seems it suffers the same issue.

When you sign in the server returns a Bearer token to use for subsequent api requests say to the value api. When you sign out the app is sending two requests to /connect/revocation one to revoke the access_token and the other to revoke the refresh_token. These both return 200 as to indicate success however someone with the Bearer token can still login after these two revocations have been called.

You can reproduce this by logging in to the app; grab the bearer token with chrome, make a request with that token to the /api/values with something like Postman and include the Bearer token. You will see that even after Log Out you can still successfully use that token meaning it has not actually be revoked.

This is the same issue I am having in my own project and I was wondering if you are aware of this issue and know of any fix to make your Angular2SPAWebAPI successfully Log Out so that tokens can not be reused after the fact? thank you.

robisim74 commented 7 years ago

Hi @pwen090,

revocation only works if you are using reference tokens or refresh tokens: http://docs.identityserver.io/en/release/endpoints/revocation.html.

JWT tokens remain valid until the expiry.

pwen090 commented 7 years ago

Ah! Did not read into that nuance in the documentation. In your opinion does that make using JWT tokens less secure as sign out does not really fully sign out a user? Or do you know of some other work around or method if using JWT to fully sign out a user?

robisim74 commented 7 years ago

I don't know a workaround for that (there were a lot of issues in IdentityServer): for this reason we use a short duration of the token and the refresh token.

In the service of my app I created the APIs which I thought was useful, but I have to remove the calling to the revocation of the token and leave only the calling to revocation of the refresh token (thanks for reporting).

robisim74 commented 7 years ago

Calling to revocation endpoint has been removed for the JWT token.

pwen090 commented 7 years ago

We are exploring moving to using a reference token which seems it can be more explicitly revoked. Do you think this is a good option or can think of any downsides or any other advice? Thank you so much again.

robisim74 commented 7 years ago

Reference token is more secure for a lot of reasons, not only for the question of revocation, but you should switch to an implicit flow, and change the architecture of your app. The best project that I know that uses Angular, ASP.NET Core & IdentityServer4 with an implicit flow is this: https://damienbod.com/2016/10/01/identityserver4-webapi-and-angular2-in-a-single-asp-net-core-project/ I hope it can be helpful.

Greetings