Blazor WASM BFF Sample Still Allows API Requests Post Logout

[scottsauberlt]

After logging out of the Blazor WASM BFF sample, I'm still able to make API requests using the cookie. It seems like the cookie/underlying token aren't being invalidated. Is there something we can do to enforce this?

After someone logs out, I want the cookie/JWT to be invalidated and rejected by BFF.

Is there something we need to do on the Identity Server side to do this?

[josephdecock]

Take a look at server side sessions to give you more control over what happens to the session data at logout. If you enable server side sessions, then after logout the cookie will no longer be usable.

The reasons you're seeing this behavior are that JWTs fundamentally cannot be revoked because they are self-contained by design, and the session cookie that stores the session that contains the JWT (when server side sessions are not enabled) can't be invalidated either. Cookies are just http headers that the server uses to ask the browser to handle data in a particular way. If you keep using the cookie after the server asked you to destroy it, the cookie will still be valid unless you have some server-side data store to track sessions. That's exactly what our server side session feature provides.

I'm transferring this to support for better visibility.

[RolandGuijt]

@scottsauberlt Would you like to add anything to this issue? If not I'd like to close it.

[scottsauberlt]

I exchanged some support emails back and forth with Joseph already.

Generally speaking - I understand (or I'm guessing) why you guys don't include this into the baked in template, because then it wouldn't "Just Work" when you pull it down, because you'd need a database.

I feel like it'd be nice if the template had like commented out code or something for some of these best practice things like Server Side Sessions, Data Protection external out of the app, etc so it's a little more in your face what knobs you still need to turn to make it production ready.

Feel free to close if you don't want to take that action on this feedback or if you're tracking it another way.

[RolandGuijt]

We feel that the templates should be a way to quickly and relatively easily start a minimal new project. Devs can then build the setup needed for their specific needs using our examples, quickstarts and documentation.
Including all this in a template could quickly get overwhelming imho.

[scottsauber]

What do you think about having some pieces commented out that people probably want for production readiness just to give them heightened visibility these things exist? Or like a comment with a link to a doc to make it production ready? (ie DataProtection, user sessions, etc?)

[RolandGuijt]

Thanks for the suggestion. We'll consider it for our next round of updates. Closing this issue for now but feel free to reopen if needed.

[AndersAbel]

Thanks @scottsauber for the suggestion to add comments to the templates. I filed DuendeSoftware/docs.duendesoftware.com#523 to keep track of it.

I didn't include the server side session item though, as that is not one of the things that are mandatory. In many setups it's perfectly fine (or even preferrable) to use cookie based sessions over server side sessions. There are limitations with the cookie based sessions yes, but there are also performance implications of using server side sessions. The choice between them must be done case-by-case.