Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Manually expire JWT token from server - WEB API 2

I am working on a api server which revives requests from a mobile app. I am using JWT with ASP.Net MVC Web API 2. In this Admin gives access of various departments to mobile app users. I set these DeptIds in Claims at the time of Login. On every authorised request from app, in a custom action filter attribute I read claims to match deptId in request URL with claims. This all scenario works fine.

Now my problem is, when Admin revokes access of any particular dept from app user, how should I expire the access_token of that user so that, on Login request call, I can set new Claims. Otherwise, as Admin removes access from server but the deptId still exists in user's Claims so user still have access to that department.

One way is on every request, check in database for access but that increases overhead of server also increases response time. So I don't want to go this way.

I didn't find anything on web how to expire token in JWT. Can any one help on this?

like image 447
SarangK Avatar asked Oct 25 '16 07:10

SarangK


People also ask

Can you manually expire JWT token?

Well, As mentioned above, after a token has been generated, you can not manually expire. You can not log out on the server side with JWT. If you want to restrict the usage of a token when a user logs out.

How can I expire my existing JWT token?

There are two methods of registering the expiry of the token both are shown below with an explanation. Creating an expression of an expiry time. Providing expiry time of JWT token in the options argument of the method.

How do I manually expire access token?

You can change the access token lifetime using the Auth0 Dashboard. Go to Dashboard > Applications > APIs and click the name of the API to view. Locate the Token Expiration (Seconds) field, and enter the appropriate access token lifetime (in seconds) for the API. Default value is 86,400 seconds (24 hours).


1 Answers

A JWT token happens to be a kind of token that allows it to be self-contained i.e. one can validate it without consulting an external entity.

That also means that there's no external entity that will tell you that the token was revoked or expired. Expiration can only happen by some property in the JWT itself; the exp claim was standardized for that purpose: it will tell the recipient the time after which the information in it must no longer consider to be valid

like image 126
Hans Z. Avatar answered Dec 21 '22 23:12

Hans Z.