azure mobile service active directory authentication X-ZUMO-AUTH token valid in postman after logout

2
votes

I have Azure Mobile Service and AD set up for authentication.

Log out and login works perfectly through mobile app.

AD application reply url is https://test.azure-mobile.net/signin-aad

client = new MobileServiceClient (applicationURL, applicationKey);

var authResult = await client.LoginAsync(this, MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory);

var data = await client.InvokeApiAsync("testAPI", HttpMethod.Get, null); //Works

client.Logout(); // LOGOUT

var data = await client.InvokeApiAsync("testAPI", HttpMethod.Get, null); //Unauthorized Error at mobile side. Request not going to API

This working is perfect.

But if I copy the token from authResult after LOGOUT, I can use same token to call API from postman.

Header: X-ZUMO-AUTH → token

How I can validate the token? Any setting needed at Azure Mobile Service Side to validate and prevent this?

1
c#azure-mobile-serviceslogoutazure-active-directorypostman

1 Answers

3
votes

When you log out on the client, the auth token is removed from the client but nothing is communicated to the server to indicate that this token is now invalid. So if the token is stored off somewhere else and re-used, it will still be valid until it expires.

I'm not sure there's a good way to do this. You could reset the site's master key but that invalidates all other tokens, so that's not really a viable option. You could store a list of invalid tokens on the server and check them with each request, but that adds a lookup with each request.

Here's another question with a similar answer and a couple other links: Logout/invalidate a JWT