I have an Identity Server 3 based Authentication service. It's currently using JWTs, but I'm planning to switch over to reference tokens so that we can revoke them when the user logs out of the client application. I've been researching this (Dominick Baier - Reference Tokens and Introspection) and understand that one option - the one I'd like to implement - is to have my user service - part of my authentication service implementation - use the Identity Server ITokenHandle interface to revoke the token. I have not been able to find any more information on this interface or how to implement it in my user service.
Has anyone done Identity Server 3 token revocation in their user service or can anyone point me to more information about this approach?
The two GitHub postings in the comments on the original post contained the information I needed. I was able to switch from JWTs to reference tokens and then implement automatic revocation of the reference tokens on user sign out. The switch of the token type was a simple matter of setting
AccessTokenType = AccessTokenType.Reference
in my client setup code. To revoke the tokens on sign out I first added
idSrvFactory.Register(new Registration<DefaultClientPermissionsService>());
in Startup.cs. Then in my UserService, I added it to the UserService constructor
public UserService(DefaultClientPermissionsService clientPermissionsSvc)
{
_clientPermissionsSvc = clientPermissionsSvc;
}
Then finally, still in my UserService, I implemented
public override Task SignOutAsync(SignOutContext context)
{
string subjectId = GetSubjectId(context);
_clientPermissionsSvc.RevokeClientPermissionsAsync(subjectId, context.ClientId);
return Task.FromResult(0);
}