I'm using OAuth 2.0 owin security implementation(Bearer token) in my web api project. Is there any possibility to override default behavior and make sliding expiration of token, and how can I do logout from that kind of authentication?
6
votes
logging out from a OAuth 2, the user needs to resign the authorization in the original provider. For example, if I use Facebook to login, the only way that I will logout in your app, is to go to my FB settings and delete your application from the security tab.
– balexandre
I don't use any external authentication, this is only for my internal authentication.
– paradoxx.net
1 Answers
1
votes
If you follow the Web API template for ASP.NET and OWIN using OAuth, if you make a call to the AccountController logout function and pass in your Bearer token, you will be logged out and the bearer token will cease to be active.
For OAuth, you are expected to refresh the token before it expires or after it expires, or have the user re-authenticate to acquire a new token entirely after expiration. Inherently, the expiration of the token is fixed, but by implementing periodic refresh you end up with the same end result. The expiration slides with each refresh. This can all be configured in your OAuthAuthorizationServerOptions which is passed to your OWIN application context in Startup.Auth.
Hope this helps.
