Add a comment indicating how authorization codes/refresh tokens can be automatically invalidated when the security stamp is updated

9 years ago · e41b0260bd
1 changed files with 3 additions and 0 deletions
--- a/samples/Mvc.Server/Controllers/AuthorizationController.cs
+++ b/samples/Mvc.Server/Controllers/AuthorizationController.cs
@ -231,6 +231,9 @@ namespace Mvc.Server
                    OpenIdConnectServerDefaults.AuthenticationScheme);

                // Retrieve the user profile corresponding to the authorization code/refresh token.
+                // Note: if you want to automatically invalidate the authorization code/refresh token
+                // when the user password/roles change, use the following line instead:
+                // var user = _signInManager.ValidateSecurityStampAsync(info.Principal);
                var user = await _userManager.GetUserAsync(info.Principal);
                if (user == null)
                {