Invalidate JWT-Tokens on logout and password change.

AAzazel

11/20/2023

I have an ASP.net Web api that handles user interaction. For authentification I use JWT Tokens. I realize that these tokens are only a way to confirm claims and do not carry states in any way. I want to give uses the ability to log out, i.e invalid tokens and change thier password. I do not like the approach of storing the password hash in the token as it can be read. Also I have no clue if it would make sense to use a table for invalidated tokens and how I would go about implementing that feature. If you have any input or pointers I could use to help me it would be greatly appreciated. : )

Xx0rld

11/20/2023

you can only invalidate refresh token AFAIK

SSossenbinder

11/20/2023

Indeed What you can do though is store the token in a cache until it's expired And deny all incoming requests with that token attached But for changing the password, this is not something you would carry in a JWT, you would use the JWT to authenticate the user so you can be sure the user you are currently updating is who it claims to be

AAzazel

11/20/2023

I fear that tokens created prior to the password change may still be used, therefore giving access to someone that may not know the password. for example you account gets logged into from somewhere you change password, they may still have a timewindow (untill token expires) to use it.

SSossenbinder

11/20/2023

You could also take a note of the timestamp change and deny all tokens prior to that time Even if they are still valid on paper

AAzazel

11/20/2023

hmm good idea. could I deny them in some kind of middleware?

SSossenbinder

11/20/2023

I'm actually not sure how it would look like in code, but I assume you could implement a middleware, yeah. Didn't work with JWT in asp net for a while so I'm not sure whether the iat claim is available out of the box

AAzazel

11/20/2023

Ok thanks

SScratch

11/21/2023

it's someone who knew the password previously. Usually short lived tokens are good enough. If you want to handle invalidation you need some kind of database to store invalidated keys

PPixxelKick

11/21/2023

This is why typically changing your password on most websites requires a re-login, as soon as they change their password you just straight up expire all their tokens you have stored server side.

Looking for more? Join the community!

Invalidate JWT-Tokens on logout and password change.

Join Server

Invalidate JWT-Tokens on logout and password change.

Join Server

Want results from more Discord servers?

Add your server

Recommended Posts

Dynamically enable/disable a route in ASP.NET 7?Is there a way to dynamically enable/disable a route in ASP.NET 7? I'd like to be able to enable/dis ✅ I keep getting Error CS5001 and CS0028, how do i get rid of themin CS5001 it says Program does not contain a static "Main" method suitable for an entry point and in Struct with explicit layoutHi, I am using Wintab and I am trying to make packet struct, but I have some problem. In some situat Extending custom WPF controlWhat are my options to extend this TimePicker list element to full height that shows all items? I'm Discord.Net + MagicOnion, hehehHey! So I am working on a discord bot that I want to intergrate into a server using websockets, I f A question for my c# winforms projecthello guys, i have a question about my c# winforms project. So : I have 2 Projects the first Projec YO I NEED HELP writing a code need advice not for u to write it for mewrite me a c# program that get 3 latters and tell if they are by the order like abc if they are back Blazor ServicesI dont know too much blazor, but I have a .cs file in a /Settings folder, in which I would like to a How to optimize this?I have following: ```cs using System; namespace SquareCalculus { internal class FigureTriangle In VSCode, SDK not Recognized on ChromeOSHi. I just installed the .NET SDK and the Runtime by following the instructions for Ubuntu on the Mi Nito.AsyncEx vs DotNext.ThreadingWe're currently searching for a nice AsyncAutoResetEvent implementation. We found two suitable imple Sequential BlinkersHello everyone! I bought these sequential blinkers that run off an stm32 blue pill board. the only p Trying to use Microsoft.Kiota namespace but not found when importingI am trying to use this method from the Microsoft.Kiota.Abstractions.Extensions namespace: ToFirstCh WinUI3 Scheduler CalendarViewhello im trying to make a winui3 calendarview interactive calendar where I can predefine dates in my The call is ambiguous between the following methods or properties: 'Thread.Thread(ThreadStart)' andi have to upload by files Help a noobie out with a simple hangmanHi! New to coding and I need some help to solve this problem. Shall I save the words to a list? Any C# Image Resizing on Visual Studio CodeI've tried both ``newPic.SizeMode = PictureBoxSizeMode.StretchImage;`` and ``newPic.SizeMode = Pictu I'm stuck,visual studio 22, I need help making my invaders/enemies move left to right then downI’m trying to get my invaders/enemies to move left to right then down like in the game space invader ✅ Where should I store all the sensitive file on .NET project?Hello everyone, May I know where should I store all the credential files that needs to be used by .Unity CodeI have been trying to get my C# code to work in unity for about a week and I am officially lost. I'v