Reputation: 301
How to invalidate a JWT token of a user after password is changed by someone
I created an MVC page used JWT authentication. Once a user logged in successfully, the app returns a JWT token to the user that's stored in the request header. But then a problem occurred. Another person also signs in with the same user account and changes the password. So the first logged in session should be terminated because of security issues. The solution I thought is invalidating the JWT token of that user. But I have to define when was the user's password changed. The JWT token doesn't contain the password information so I couldn't request to the backend server to determinate the password was changed every time the user (with old password) request to the server, either. I need some ideas, suggestions.
Upvotes: 1
Views: 1842
Answers (3)
Reputation: 971
For this feature you should add new property like SerialNumber as string on Users table
public class User { public string SerialNumber { get; set; } }
when you want to create new token for user add user SerialNumber to Claims like this
new Claim(ClaimTypes.SerialNumber, user.SerialNumber, ClaimValueTypes.String, issuer),
and when changed user password or username or status or every important property you should update serial number. when serial changed on token validator method after first http request will raise error code 401 (that means Unauthorized)
public async Task ValidateAsync(TokenValidatedContext context)
{
var claimsIdentity = context.Principal.Identity as ClaimsIdentity;
if (claimsIdentity?.Claims == null || !claimsIdentity.Claims.Any())
{
context.Fail("This is not our issued token. It has no claims.");
return;
}
var serialNumberClaim = claimsIdentity.FindFirst(ClaimTypes.SerialNumber);
if (serialNumberClaim == null)
{
context.Fail("This is not our issued token. It has no serial.");
return;
}
var userIdString = claimsIdentity.FindFirst(ClaimTypes.UserData).Value;
if (!int.TryParse(userIdString, out int userId))
{
context.Fail("This is not our issued token. It has no user-id.");
return;
}
var user = await _signInService.GetUserAsync(userId);
if (user == null)
{
context.Fail("User deleted!");
return;
}
if (user.SerialNumber != serialNumberClaim.Value || !user.Status)
{
context.Fail("This token is expired. Please login again.");
return;
}
}
on JWT Token configuration
OnTokenValidated = context =>
{
var tokenValidatorService = context.HttpContext.RequestServices.GetRequiredService<ITokenFactoryService>();
return tokenValidatorService.ValidateAsync(context);
},
Upvotes: 4
Reputation: 7615
Using the password directly in the token is a security risk, since an attacker could retrieve it from the user's computer. Better to either:
- include a unique token ID in the token, and maintain a list of revoked tokens (or of allowed tokens; whichever is a better fit). or
- include a "version number" in the user list, change it whenever the password is changed, and include the version number when the token is issued. That way, all old tokens can be rejected. @Mohammad's answer has an example of something similar.
None of those pieces of information means anything by themselves.
Upvotes: 1
Reputation: 31
Use password as claim in jwt? It will be checked in every request, so after password is changed it will return 401
Upvotes: 0
Related Questions
- How to force expire a JWT token in ASP.Net Core?
- How to invalidate tokens after password change
- How can I invalidate access tokens generated by Identity Core?
- How to revoke JWT Bearer Token in .net core API
- Could we destroy/invalidate JWT token in Asp.NET Core?
- How to invalidate or revoke jwt access token using Identity server 4 JWT authentication and Resource Owner Password grant?
- Handle previous jwt token where new jwt token also genrated for the same credential and security
- Invalidate Asp Net Identity Jwt Token
- How to invalidate previous JWT token after refresh
- Asp. Net 5. Jwt tokens revocation