Authentication Session Invalidation (added in v2.4)
IdentityServer3 defines the
IAuthenticationSessionValidator interface to allow invalidating an existing login session.
This can be used to, in essence, ignore a logged in user’s authentication cookie (typically due to some external event such as the user having changed their password since they logged in).
The user will be treated as anonymous, which generally means that they must re-authenticate to continue to use IdentityServer.
The interface defines one method:
- This method is called whenever an authentication cookie is presented to IdentityServer for the logged in user. Return
trueto indicate the authentication cookie should be honored,
ClaimsPrincipalrepresenting the authenticated user is passed as a parameter.