I essentially have the setup described here: http://blogs.msdn.com/b/martinkearn/archive/2015/03/25/securing-and-working-securely-with-web-api.aspx

The trouble is, if a user's roles are modified after receiving a token, the change is not reflected unless the user logs in again and receives a new token.

For example:

  • user is in role "ABC"
  • user logs in, receives a token
  • user uses token to access endpoint decorated with [Authorize(Roles="ABC")] (as expected)
  • administrator takes user out of role "ABC"
  • user can STILL use token to access endpoint decorated with [Authorize(Roles="ABC")] (unexpected)
  • user discards token, logs in again, receives a new token
  • user uses new token to access endpoint decorated with [Authorize(Roles="ABC")] and gets 401 (as expected)

In other words, unless the user requests a new token (logs in again), HttpContext.Current.User.IsInRole("ABC") returns true, even though the AspNetUserRoles table shows that user does NOT have that role.

How can I update (or perhaps invalidate?) the token when changes are made to the AspNetUserRoles table?

Related posts

Recent Viewed