azure 移动服务活动目录身份验证 X-ZUMO-AUTH 令牌在注销后在邮递员中有效 [英] azure mobile service active directory authentication X-ZUMO-AUTH token valid in postman after logout

问题描述

I have Azure Mobile Service and AD set up for authentication.

Log out and login works perfectly through mobile app.

AD application reply url is https://test.azure-mobile.net/signin-aad

client = new MobileServiceClient (applicationURL, applicationKey);

var authResult = await client.LoginAsync(this, MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory);

var data = await client.InvokeApiAsync("testAPI", HttpMethod.Get, null); //Works

client.Logout(); // LOGOUT

var data = await client.InvokeApiAsync("testAPI", HttpMethod.Get, null); //Unauthorized Error at mobile side. Request not going to API

This working is perfect.

But if I copy the token from authResult after LOGOUT, I can use same token to call API from postman.

Header: X-ZUMO-AUTH → token

How I can validate the token? Any setting needed at Azure Mobile Service Side to validate and prevent this?

解决方案

When you log out on the client, the auth token is removed from the client but nothing is communicated to the server to indicate that this token is now invalid. So if the token is stored off somewhere else and re-used, it will still be valid until it expires.

I'm not sure there's a good way to do this. You could reset the site's master key but that invalidates all other tokens, so that's not really a viable option. You could store a list of invalid tokens on the server and check them with each request, but that adds a lookup with each request.

Here's another question with a similar answer and a couple other links: Logout/invalidate a JWT

这篇关于azure 移动服务活动目录身份验证 X-ZUMO-AUTH 令牌在注销后在邮递员中有效的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！