Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is BearerOption.SaveToken property used for?

What bearerOption.SaveToken property used for in the configuration of JwtAuthentication in aspnet core 2 ?

    services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                    .AddJwtBearer(bearer =>
                    {
                        bearer.TokenValidationParameters.IssuerSigningKey = signingKey as SecurityKey;
                        bearer.TokenValidationParameters.ValidIssuer = Configuration["Jwt:Issuer"];
                        bearer.TokenValidationParameters.ValidAudience = Configuration["Jwt:Audience"];
                        bearer.TokenValidationParameters.ClockSkew = TimeSpan.Zero;
                        bearer.TokenValidationParameters.ValidateLifetime = true;
                        bearer.TokenValidationParameters.ValidateAudience = true;
                        bearer.TokenValidationParameters.ValidateIssuer = true;
                        bearer.TokenValidationParameters.ValidateIssuerSigningKey = true;
                        bearer.TokenValidationParameters.RequireExpirationTime = true;
                        bearer.TokenValidationParameters.RequireSignedTokens = true;
                        // ******
                        bearer.SaveToken = true;
                        // ******
                    });
like image 759
Hicham Avatar asked Mar 15 '18 14:03

Hicham


2 Answers

bearer.SaveToken is used to indicate whether the server must save the token server side to validate them. So even when a user has a properly signed and encrypted token, it'll not pass token validation if it is not generated by the server. This is a security reinforcement so even when the signing key is compromised, your application is not.

Downside:

  • If your application is restarted, recycled your token is no longer valid.
  • If you have a distributed application, this will not work for you.
like image 107
Hicham Avatar answered Sep 28 '22 06:09

Hicham


It is a property that defines whether the bearer token should be stored in the AuthenticationProperties after a successful authorization.

like image 6
Michael Henderson Avatar answered Nov 18 '22 16:11

Michael Henderson