Web API 2, OWIN Authentication, SignOut doesn't logout

Solution 1:

Since OAuth is not an authentication protocol, there is no notion of signout. Delete the access token on the client - that's all you can do.

If you want to invalidate the token on the server side, add a unique id to it and keep track in your service - you would need to manually build something like that.

Solution 2:

I have a beautiful solution here: http://www.nakov.com/blog/2014/12/22/webapi-owin-identity-custom-login-service/. It is custom user session implementation for Web API OAuth bearer token authorization based on OWIN and the standard ASP.NET Identity (Microsoft.AspNet.Identity.EntityFramework). It works as most people may expect:

• Web API sessions die after 30 minutes of inactivity.
• Session’s life is extended at each authorized HTTP request with additional 30 minutes.
• Logout works correctly: after logout the bearer access_token becomes invalid (its is revoked).

Full working source code is available at GitHub: https://github.com/SoftUni/SPA-with-AngularJS/tree/master/Ads-REST-Services

Solution 3:

This question has been here for ages (and answered too), but I only wanted to chime in my thoughts.

I would do similar to your (C) option, but use a shorter expiry on the bearer access token something like 10 or 20 minutes, so that when you have logged out and deleted the token on the client, although technically the token is still valid, the bad man will have only the remainder of the expiry time to play with your valid token.

In practice, I would use this together with a long-lived refresh token, so that I can get a new bearer token if it expires and want to continue interacting with the API resources, without having to authenticate again.