This my custom logout endpoint:
[HttpPost("logout")]
public async Task<IActionResult> LogoutAsync()
{
await _interaction.RevokeTokensForCurrentSessionAsync();
await HttpContext.SignOutAsync();
return Ok();
}
It removes IdentityServer cookies but if a user at this time has a refresh_token he still can use it after logout. How to revoke all related refresh tokens? I tried using IIdentityServerInteractionService.RevokeTokensForCurrentSessionAsync but it doesn't work like expected.
Is your client a SPA? If yes, delete the refresh_token from localstorage on logout action.
Also, you can make a POST request to this endpoint inside your custom logout function using HttpClient:
https://[Your_IdentityServer4_url]/connect/revocation
token_type_hint=refresh_token
client_id=[your_client_id]
client_secret=[your_client_secret]
token=[your_refresh_token]
Alternatively, you can use events to revoke refreshtoken on signout like this.
.AddCookie("cookie", options =>
{
options.Cookie.Name = "mvccode";
options.Events.OnSigningOut = async e =>
{
// revoke refresh token on sign-out
await e.HttpContext.RevokeUserRefreshTokenAsync();
};
})
Link to the documentation - here.