We have implementing Auth0 token based web application using Angular 1.x with .net web api. problem is when a used login to system Auth0 is creating a Barer token and storing in localstorage (browser), sessions.
The same barer token is been use to authorize web api using JWT to get api data.
But the problem is, when a user is signout the application all sessions and localstorate is cleared . if i can use the same barer token to web api calls using postman or any other api testing tools i am still getting the results. even though the user is signout the application.
That is expected and it’s the definition of a bearer access token which means anyone in possession of the token can use it to call the API to which it corresponds until the token is no longer valid. At this time, there is no revocation of access tokens so the issued access token will be valid until it expires. The API can unilaterally decide that in addition to the token being valid the token must also not be present in a blacklist maintained by the API and there could an endpoint at the API level used to blacklist tokens.
Having said that, unless you’re using a really long expiration which is not recommended this is mostly a non-issue or said it in another way the important part is that you need to protect the tokens from leaking.
As an additional note, there’s work being done around binding tokens only to the channel where they were originally used which would also serve as a mitigation for this issue, however, there is no widespread adoptions of this practice.