I'm working on setting up an Authentication Endpoint that uses Azure AD for the identity provider. I have everything working but one question I have is if I create an authToken that's good for an hour and 5 minutes but then five minutes later I delete
the key that was used to create the authToken now we can't create authTokens which is good. But if I have other API calls that validate the authToken they will all validate the previously created token successfully and return data. This seems insecure
since if someone bad got ahold of the clientId and appKey then I wouldn't be able to shut them out of my application without shutting down IIS and bringing everyone down. Am I missing something or is this just how it works.
↧