How to Get a List of Logged in Users?

Question

I don't know how to narrow down this question further: We are using Auth0 and WebApi 2. I need to display a list of all users who are currently logged in. More specifically, Auth0 issues a token, this token is then sent with every request to our WebApi. I imagine, I need to write the token and the associated id to the database every time a request is made to any controller with the specific token? Can someone give me a general idea of whether or not I am on the right path here or what I should be reading?

Auth0 docs are of little help, since this seems to be an unusual requirement. Same with: http://www.asp.net/web-api/overview/security

I am not concerned about clientside. Just need the way to go on the server.

Edit: I added another part to this question in the comments: I would also like to know how to revoke tokens, effective immediately. To understand this, I believe I need to understand exactly how the backend verifies the token sent by the front end, and whether or not Auth0's server gets called for this at all.

Answer 1

I'm a Developer Advocate at Auth0. Let me see if I can help you out :).

The whole idea of having an API that just checks the JWT is to have a Stateless API. Being "logged in" doesn't really exist in concept. All JWTs expire at some point in time, and that's what checked when you call an API.

Therefore, what I suggest is the following:

Every time you get an API call you save the JWT somewhere on memory. Then, we need to get logged in users, you just grab all the JWTs that you have on those list, and show the not expired ones as "logged in". Also, you should have a cron that goes every 5 minutes over the list and which cleans expires JWTs. It's not really "logged in" users, but I think it's close enough.

Would that work?

Thanks