- ABP Framework version: v7.2.1
- UI Type: Angular
- Database System: EF Core
- Tiered (for MVC) or Auth Server Separated (for Angular): yes (Auth Server Separated - OpenIdDict)
- Exception message and full stack trace:
- Steps to reproduce the issue:
- Login as a user to generate an active access token and refresh token.
- Logout to revoke the tokens.
- Expected behaviour: The access token can no longer be used, giving a 401 error if used.
- Actual behaviour: The user is still able to make requests with the revoked access token.
We have tried to write middleware as a workaround for this issue, however ran into problems when dealing with impersonating a tenant/user. Furthermore, the tokens are not revoked if a user is logged in and has "isActive" set false. The suggested behaviour here is that such a user should be logged out and that their tokens are revoked (Note that we are using OpenIdDict tokens).