Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Manually expire JWT token from server - WEB API 2

Tags:

jwt

asp.net-web-api2

I am working on a api server which revives requests from a mobile app. I am using JWT with ASP.Net MVC Web API 2. In this Admin gives access of various departments to mobile app users. I set these DeptIds in Claims at the time of Login. On every authorised request from app, in a custom action filter attribute I read claims to match deptId in request URL with claims. This all scenario works fine.

Now my problem is, when Admin revokes access of any particular dept from app user, how should I expire the access_token of that user so that, on Login request call, I can set new Claims. Otherwise, as Admin removes access from server but the deptId still exists in user's Claims so user still have access to that department.

One way is on every request, check in database for access but that increases overhead of server also increases response time. So I don't want to go this way.

I didn't find anything on web how to expire token in JWT. Can any one help on this?

like image 447
SarangK Avatar asked Oct 25 '16 07:10

SarangK

People also ask

Can you manually expire JWT token?

Well, As mentioned above, after a token has been generated, you can not manually expire. You can not log out on the server side with JWT. If you want to restrict the usage of a token when a user logs out.

How can I expire my existing JWT token?

There are two methods of registering the expiry of the token both are shown below with an explanation. Creating an expression of an expiry time. Providing expiry time of JWT token in the options argument of the method.

How do I manually expire access token?

You can change the access token lifetime using the Auth0 Dashboard. Go to Dashboard > Applications > APIs and click the name of the API to view. Locate the Token Expiration (Seconds) field, and enter the appropriate access token lifetime (in seconds) for the API. Default value is 86,400 seconds (24 hours).

1 Answers

A JWT token happens to be a kind of token that allows it to be self-contained i.e. one can validate it without consulting an external entity.

That also means that there's no external entity that will tell you that the token was revoked or expired. Expiration can only happen by some property in the JWT itself; the exp claim was standardized for that purpose: it will tell the recipient the time after which the information in it must no longer consider to be valid

like image 126
Hans Z. Avatar answered Dec 21 '22 23:12

Hans Z.
Sign in to Comment

Related questions

Why is CORS Disabled by Default?
FormUrlEncodedMediaTypeFormatter vs JQueryMvcFormUrlEncodedFormatter
REST API Http status code best practices
How can I signal cancellation to Web API actions when the self-hosted OWIN server shuts down?
WebAPI call using volley
Customize attribute names with Web API default model binder?
Return custom HTTP code from ActionFilterAttribute
Disable caching of Web API responses
JsonConverter with Interface
How to get object on ASP.NET Web API?
webapi 2 - how to properly invoke long running method async/in new thread, and return response to client
Uncaught TypeError: Failed to execute 'append' on 'FormData': 2 arguments required, but only 1 present
Return a list of errors with BadRequest (WebApi)
Difference between Web API and Azure API APP in Visual Studio
WebApi2 attribute routing inherited controllers
OData v4 Web API support for Composite Keys
Modifying the Introduction on the Web API help page
ASP.NET Web API 2 - double backslash in string after serialization
parallel.foreach and httpclient - strange behaviour
HttpContext .NET core saving instance in Middleware

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!