Token / PermissionGrants #347
Comments
Addition: I already read the articles provided in gitter.im chat and on blogs. None of them could help me to solve that problem. :/ |
Configuration Startup of MVC1 and IS1: http://hastebin.com/qofipuduyi |
Why not use reference token to have full controll? |
Because I can't find the entries in the database to remove them. :/ |
Once the user has a token, they can always access the resource according to the claims described within it! You can:
If its an emergency, (i.e. you cannot wait for the access_token (or refresh token) to expire), you can:
|
But why is there no entry in PermissionGrantStore? I made it like in the EF sample. |
Depending on the flow and configuration, there might not need to be a record in the DB in IdentityServer. |
Implicit flow, Reference, Store Async is not getting called. This does not work (no record in database): But I want to e.x. block a user (change user entry (no problem) and remove his sessions) |
Do you need a |
I modified it. It allows null. But the problem is somewhere else. I don't even get a record. Here the Login method. Account / Login
I inject this: GrantStore is the same as in EF example (only 1 line modified on logout). |
I'm sorry -- I am not following how the persisted grant store relates to login sessions (because they aren't the same thing). If you have a requirement where a user can only be logged into one app at a time, then that's up to you to implement on your own in the app with some check back to a central DB that knows the user's last login session at which app. |
It's about the reference token. |
I can't find the store / service for reference tokens. Any idea? |
This store does not get called. I wrote above. |
(But the programmatic logout doesn't => RemoveAllAsync does not work because StoreAsync does not get called.) |
So am I. I'm sorry. I have a feeling that your expectation is how it's supposed to work is not lined up with how it actually works. When a user logs in they're assigned a session ID in their cookie. This is added to id_tokens when the user logs into client apps. Also, if the client app requests API access then they're issued a access token. If the access token default configuration is changed to a reference token then that's when the persistent grant store would be used -- but it's not the default. |
It seems like I'm too stupid. ^^ What I would like to achive is the following. User can log in into IdSrv. User can log out. Now, if I block him or if he e.x. changes password I want to "Cancel" his session so he is logged out of IdSrv => IdSrv notifies all MVC apps that user not valid => new login redirect to IdSrv. I want to have the full control about the user. |
The only thing like this in IdSvr is the If you want to disable a user's existing session in an existing app and just make them login again, you'll have to build this yourself with your own custom check in the MVC app for this. |
Like how? Can't I just use something like a Cache Timespan on Mvc App for revalidating reference token? |
I thought about an Endpoint on the apps like logout, for changes on user claims for e,x. or user state. |
I think you need to spend some more time learning how OIDC and OAuth2 work. This seems to be your major mental hurdle, because you're conflating things that aren't related. Once you have a better understanding of them then I think you'll have an easier time with your requirement. |
IsActive gets called on Login, how can I say how often this get's called e.x.? |
that would be a new issue - but here's the low down: #258 closing this one now...OK? |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Hey IdentityServer Team,
I have following problem:
I want to invalidate a user. I googled and I found in IdentityServer3 UseIdentityServerBearerTokenAuthentication. I found the same for IdentityServer4 but I don't understand how to use. Every sample talks about an API usage. (I use Cookie)
What I want:
IS1 => IdentityServer
MVC1 => e.x. CoolMvcSite
MVC2 => e.x. ShitMvcSite
User => MVC1
User clicks Login => Redirect to IS1
Login on IS1 => logged in in MVC1
^^^^^^^^^^^^^^^^^^^^^^^ this workes. But now I want to invalidate a Usersession. (Block him, or he logged in on another device)
Invalidate User Session for user on all Clients (MVC1, MVC2)
User goes to some protected stuff => Redirect to IS1, has to login again
Is it possible to say that an MvcApplication caches IS1 response for user 5 minutes, after 5 minutes on next user request MVC application checks on IS1 if valid.
Or that the IS1 sends on Invalidation a request to a controller on every client application to tell them news.
The text was updated successfully, but these errors were encountered: