Many grant types require persistence in IdentityServer. These include authorization codes, refresh tokens, reference tokens, and remembered user consents. Internally in IdentityServer, the default storage for these grants is in a common store called the persisted grants store.
The persisted grant is the data type that maintains the values for a grant. It has these properties:
- The unique identifier for the persisted grant in the store.
- The type of the grant.
- The subject id to which the grant belongs.
- The client identifier for which the grant was created.
- The description the user assigned to the grant or device being authorized.
- The date/time the grant was created.
- The expiration of the grant.
- The date/time the grant was “consumed” (see below).
- The grant specific serialized data.
Data property contains a copy of all of the values (and more) and is considered authoritative by IdentityServer, thus the above values, by default, are considered informational and read-only.
The presence of the record in the store without a
ConsumedTime and while still within the
Expiration represents the validity of the grant.
Setting either of these two values, or removing the record from the store effectively revokes the grant.
Some grant types are one-time use only (either by definition or configuration).
Once they are “used”, rather than deleting the record, the
ConsumedTime value is set in the database marking them as having been used.
This “soft delete” allows for custom implementations to either have flexibility in allowing a grant to be re-used (typically within a short window of time),
or to be used in risk assesment and threat mitigation scenarios (where suspicious activity is detected) to revoke access.
For refresh tokens, this sort of custom logic would be performed in the
Persisted Grant Service¶
Working with the grants store directly might be too low level.
As such, a higher level service called
IPersistedGrantService is provided.
It abstracts and aggregates the different grant types into one concept, and allows querying and revoking the persisted grants for a user.
It contains these APIs:
- Gets all the grants for a user based upon subject id.
- Removes grants from the store based on the subject id and optionally a client id and/or a session id.