Can't sign out Web Api using Owin

1
votes

i have sign in using owin but can't sign out.
In the Start : 

 
public void ConfigureOAuth(IAppBuilder app)
        {
   OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
            {
                AllowInsecureHttp = true,
                TokenEndpointPath = new PathString("/token"),
                AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(20),
                Provider = new AuthorizationServerProvider(),
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie               
            };
            app.UseOAuthBearerTokens(OAuthServerOptions);
            app.UseCookieAuthentication(new CookieAuthenticationOptions());
        }

In the AuthorizationServerProvider :

 public override Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
        {
            context.Validated();
            return Task.FromResult(null);
        }

        public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
        {
            context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*"});
            using (demoEntities _repo = new demoEntities())
            {
                if (!_repo.users.Where(x => x.username == context.UserName && x.pass == context.Password).Any())
                {
                    context.SetError("invalid_grant", "wrong.");
                    //context.Rejected();
                    return;
                }
            }
            //context.Request.
            var identity = new ClaimsIdentity(context.Options.AuthenticationType);
            identity.AddClaim(new Claim("sub", context.UserName));
            identity.AddClaim(new Claim("role", "user"));
            identity.AddClaim(new Claim(ClaimTypes.Name, context.UserName));
            if (context.Request.Path.Value != "/api/apidemo/logout")
            {
                context.Request.Context.Authentication.SignIn(identity);
            }
            else
            {
                context.Request.Context.Authentication.SignOut();
            }

            context.Validated(identity);
        }


In the ApiController :

  [HttpGet]
    [ActionName("logout")]
    public IHttpActionResult logout()
    {
        Request.GetOwinContext().Authentication.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
        this.Authentication.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
        return Ok();
    }

I call logout then use old token but it still can use. so have logout not working ? Thanks for watch.

1
asp.net-web-apiowin

1 Answers

5
votes

that's not how Owin works. There is no logout. You get a token and that token is valid for a set amount of time. The token will be valid until it expires.

You could add an extra layer yourself, basically when a token is generated, store it somewhere together with its expiry data and a valid status. When you call logout you update the token to be invalid, then when it;s used, after it passes the owin check you then run your own check and invalidate it.

To be honest I would not bother with this. If you go down this route it means that you're not using Owin for what it's meant to do, which is application level authentication, not user authentication. There is a huge difference between the two.

So, my advice would be to use a membership system for your user authentication and keep the owin stuff separate. If you do it like this then you can actually log someone out.

So bottom line : owin tokens are valid until they expire.