Invalidate JWT-Tokens on logout and password change.
I have an ASP.net Web api that handles user interaction. For authentification I use JWT Tokens. I realize that these tokens are only a way to confirm claims and do not carry states in any way.
I want to give uses the ability to log out, i.e invalid tokens and change thier password. I do not like the approach of storing the password hash in the token as it can be read.
Also I have no clue if it would make sense to use a table for invalidated tokens and how I would go about implementing that feature.
If you have any input or pointers I could use to help me it would be greatly appreciated. : )
9 Replies
you can only invalidate refresh token AFAIK
Indeed
What you can do though is store the token in a cache until it's expired
And deny all incoming requests with that token attached
But for changing the password, this is not something you would carry in a JWT, you would use the JWT to authenticate the user so you can be sure the user you are currently updating is who it claims to be
I fear that tokens created prior to the password change may still be used, therefore giving access to someone that may not know the password.
for example you account gets logged into from somewhere
you change password, they may still have a timewindow (untill token expires) to use it.
You could also take a note of the timestamp change and deny all tokens prior to that time
Even if they are still valid on paper
hmm good idea.
could I deny them in some kind of middleware?
I'm actually not sure how it would look like in code, but I assume you could implement a middleware, yeah. Didn't work with JWT in asp net for a while so I'm not sure whether the iat claim is available out of the box
Ok thanks
it's someone who knew the password previously. Usually short lived tokens are good enough. If you want to handle invalidation you need some kind of database to store invalidated keys
This is why typically changing your password on most websites requires a re-login, as soon as they change their password you just straight up expire all their tokens you have stored server side.