C
C#7mo ago
Azazel

Invalidate JWT-Tokens on logout and password change.

I have an ASP.net Web api that handles user interaction. For authentification I use JWT Tokens. I realize that these tokens are only a way to confirm claims and do not carry states in any way. I want to give uses the ability to log out, i.e invalid tokens and change thier password. I do not like the approach of storing the password hash in the token as it can be read. Also I have no clue if it would make sense to use a table for invalidated tokens and how I would go about implementing that feature. If you have any input or pointers I could use to help me it would be greatly appreciated. : )
9 Replies
x0rld
x0rld7mo ago
you can only invalidate refresh token AFAIK
Sossenbinder
Sossenbinder7mo ago
Indeed What you can do though is store the token in a cache until it's expired And deny all incoming requests with that token attached But for changing the password, this is not something you would carry in a JWT, you would use the JWT to authenticate the user so you can be sure the user you are currently updating is who it claims to be
Azazel
Azazel7mo ago
I fear that tokens created prior to the password change may still be used, therefore giving access to someone that may not know the password. for example you account gets logged into from somewhere you change password, they may still have a timewindow (untill token expires) to use it.
Sossenbinder
Sossenbinder7mo ago
You could also take a note of the timestamp change and deny all tokens prior to that time Even if they are still valid on paper
Azazel
Azazel7mo ago
hmm good idea. could I deny them in some kind of middleware?
Sossenbinder
Sossenbinder7mo ago
I'm actually not sure how it would look like in code, but I assume you could implement a middleware, yeah. Didn't work with JWT in asp net for a while so I'm not sure whether the iat claim is available out of the box
Azazel
Azazel7mo ago
Ok thanks
Scratch
Scratch7mo ago
it's someone who knew the password previously. Usually short lived tokens are good enough. If you want to handle invalidation you need some kind of database to store invalidated keys
PixxelKick
PixxelKick7mo ago
This is why typically changing your password on most websites requires a re-login, as soon as they change their password you just straight up expire all their tokens you have stored server side.
Want results from more Discord servers?
Add your server
More Posts
Dynamically enable/disable a route in ASP.NET 7?Is there a way to dynamically enable/disable a route in ASP.NET 7? I'd like to be able to enable/dis✅ I keep getting Error CS5001 and CS0028, how do i get rid of themin CS5001 it says Program does not contain a static "Main" method suitable for an entry point and inStruct with explicit layoutHi, I am using Wintab and I am trying to make packet struct, but I have some problem. In some situatExtending custom WPF controlWhat are my options to extend this TimePicker list element to full height that shows all items? I'm Discord.Net + MagicOnion, hehehHey! So I am working on a discord bot that I want to intergrate into a server using websockets, I fA question for my c# winforms projecthello guys, i have a question about my c# winforms project. So : I have 2 Projects the first ProjecYO I NEED HELP writing a code need advice not for u to write it for mewrite me a c# program that get 3 latters and tell if they are by the order like abc if they are backBlazor ServicesI dont know too much blazor, but I have a .cs file in a /Settings folder, in which I would like to aHow to optimize this?I have following: ```cs using System; namespace SquareCalculus { internal class FigureTriangle In VSCode, SDK not Recognized on ChromeOSHi. I just installed the .NET SDK and the Runtime by following the instructions for Ubuntu on the Mi