I have Identity server 4 at is.mysite.com
and then I have mysite.com
which uses angular to serve the content. Lastly, I have api.mysite.com
which uses is4 to protect the content.
What I'd like to know is what is the expected behavior of the lifetime of the token after the user has signed out. Consider the following scenario:
The current result that I get is that the user is able to retrieve the data. Is this expected? Shouldn't the user no longer be able to use said token because they have logged out? The way I log out the users is as follows:
await _loginManager.LoggOffAsync(HttpContext.User);
await HttpContext.SignOutAsync();
Also if I visit the is.mysite.com, the user truly is logged out.
The angular client may monitor the session state of the user by using the session management specification, this is accomplished through an iframe. For more information on the logout process you can take a look at the official documentation, specifically the section describing Javascript clients.
Given how the session management specification is designed, there is nothing special in IdentityServer that you need to do to notify these clients that the user has signed out. The clients, though, must perform monitoring on the check_session_iframe, and this is implemented by the oidc-client JavaScript library.
It is intended behavior that the access token remains valid, this is why access tokens are valid for a short duration. If you need precise control over the validity of access tokens you can look into reference tokens, which are able to be revoked.