Reputation: 1484
Asp. Net 5. Jwt tokens revocation
I am using jwt tokens middleware and Asp.Net.OpenIdConnect.Server in my app. In fact, it works fine. But I am confused in one thing. If I use tokens, I can not immediately grant new claims or ban my users. For example. I give my user access token, which expires through 2 days, and refresh token, which expires through 2 weeks. Then I give to this user admin rights. But he will know about this only through 2 days, when his current access token expires, and auth server will give him new token, using refresh token. How can I give him new rights immediately, on the next request?
I understand, that I need to check database for every request, and give to user new access token, if needed . But where should I do it in aspnet 5? Maybe there are some good practices for such thing?
Upvotes: 3
Views: 867
Answers (1)
Reputation: 64121
One way doing it is to put a unique identifier into your claims, which you can query to see if it's still valid. You can use the memory cache to store it or some distributed memory cache such as Redis, so you don't have to hit the database every time.
When you ban the user or add a token, you mark this token as invalid by removing it from the cache. Each time you the user refreshes the token, it you should create a new unique id inside the token.
Upvotes: 2
Related Questions
- Why Does OAuth v2 Have Both Access and Refresh Tokens?
- Access token and Refresh token best practices ? How to implement Access & Refresh Tokens
- Send HTTP POST request in .NET
- JWT (JSON Web Token) automatic prolongation of expiration
- Is a Refresh Token really necessary when using JWT token authentication?
- Why are Refresh Tokens considered insecure for an SPA?
- What is the purpose of the implicit grant authorization type in OAuth 2?
- What's the right OAuth 2.0 flow for a mobile app