Authentication Session Invalidation (added in v2.4)
IdentityServer3 defines the IAuthenticationSessionValidator
interface to allow invalidating an existing login session.
This can be used to, in essence, ignore a logged in user’s authentication cookie (typically due to some external event such as the user having changed their password since they logged in).
The user will be treated as anonymous, which generally means that they must re-authenticate to continue to use IdentityServer.
IAuthenticationSessionValidator
The interface defines one method:
IsAuthenticationSessionValidAsync
- This method is called whenever an authentication cookie is presented to IdentityServer for the logged in user. Return
true
to indicate the authentication cookie should be honored,false
otherwise. - The
ClaimsPrincipal
representing the authenticated user is passed as a parameter.