I want to invalidate the bearer token in Asp.net-Identity. I tried to call the UpdateSecurityStampAsync(userId) and I can se that my user's security stamp get updated. But the old tokens are still valid. Does that only invalidate cookie authentication?
Is it possible to solve it in another way?
You could do this by including the SecurityStamp (or some hash of it) in the token. You could then create your own OnReceive handler that verified the SecurityStamp for that user against the database.
The downside to this is you have a database hit for EVERY request, so it removes one of the key benefits of having a bearer token in the first place.
In effect, you would be combining the responsibilities of a bearer token and refresh token into one token.
Using refresh tokens instead, which are submitted much less frequently, will be far more performant, it won't really entail any more coding and it's a fairly widely recognised security flow model.
Out of the box it is't possible to invalidate tokens, because they are generated by the server's machinekey.