How do you invalidate an ASP.Net Web API 2 Bearer token?

Question

I would like to forcibly invalidate a Bearer Token that was issued by the default ApplicationOAuthProvider from the ASP.Net Web API2 project template.

The project has the below code, which doesn't work for Bearer tokens.

Authentication.SignOut(CookieAuthenticationDefaults.AuthenticationType);

Answer 1

There's nothing built in for that - you could build your own mechanism for it which typically involves something like a database check on each request.

The other thing is, keep token lifetime short and use something like refresh tokens - see here: http://leastprivilege.com/2013/11/15/adding-refresh-tokens-to-a-web-api-v2-authorization-server/