Access token revocation implementation in OAuth 2

web-services rest oauth owin katana
Sargis Koshkaryan picture Sargis Koshkaryan · Mar 28, 2014 · Viewed 11k times · Source

I've used OWIN OAuth 2 to implement my Authorization Server Provider. Now, I want to implement token revocation (when my client application wants to logout).
Can anybody help me and tell how to implement token revocation in OWIN KATANA OAuth 2. Are there some good practices for it?

Answer

Sher10ck picture Sher10ck · Sep 27, 2014

There are two kinds of token involved in OAuth 2.0. One is access token and the other is refresh token.

For refresh token, I really recommend Token Based Authentication using ASP.NET Web API 2, Owin, and Identity written by Taiseer Joudeh. He provides a step by step tutorial on setting up token based authentication, including revoking refresh token.

For access token, I use a black list to store revoked access tokens. When a user logins out, I add the user's current access token into a black list. And if a new request comes, I first check whether its access token is in the black list. If yes, reject the request, other wise let OAuth component do the validation.

Here are some implementation details:

I use cache to work as a black list and set cache item's expiration to the access token's expiration. The cache item (access token) will be removed from black list automatically after it expires. (We don't need to keep the access token in the black list after it expires. If the token expires, no matter whether it's in the black list or not, it can't pass OAuth validation mechanism).

The following code shows how to reject a request if its access token is in the black list.

app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions()
    {
        Provider = new OAuthBearerAuthenticationProvider()
            {
                OnRequestToken = context =>
                   {
                        if(blackList.contans(context.Token))
                        {
                            context.Token = string.Empty;
                        }

                        return Task.FromResult<object>(null);
                    }
            }
    }

What I do is if I find the access token in black list, I set the access token to empty string. Later, when the OAuth component tries to parse the token, it finds out that the token is empty. Definitely, an empty string isn't a valid token, so it will reject the request, just like you send a request with an invalid access token.

Related questions

How to secure RESTful web services?

I have to implement secure RESTful web services. I already did some research using Google but I'm stuck. Options: TLS (HTTPS) + HTTP Basic (pc1oad1etter) HTTP Digest two-legged OAuth a Cookie-based approach client certificates (Tom Ritter and here) Signed …

Read More
Authentication for REST web services

I'm starting to design a REST web service, and am unclear on the best approach to authentication. The service will allow individual users to access/manage their own data, so some type of user authentication is required. I've been looking …

Read More
SOAP vs REST (differences)

I have read articles about the differences between SOAP and REST as a web service communication protocol, but I think that the biggest advantages for REST over SOAP are: REST is more dynamic, no need to create and update UDDI(…

Read More