I have implemented a JWT authentication and a policy-based authorization in ASP.NET Core. There is a certain user with admin privileges who can assign permissions to non-admin users. If the admin updates the permissions/claims of a non-admin user, is there a way to force expire the access token so that user carrying it will be forced to request a new access token with the newly updated permissions/claims? Right now, the only way to that is to wait for the token to expire but I want to force expire it immediately.
2
votes
Could you edit this post and show for us how you coded your authorization by JWT?
– michasaucer
@michasaucer The code is just a very simple implementation of JWT auth in ASP.NET Core 2.*/3.* that you can easily find in Google and/or other docs and blogs. I just want to force expire the access token that's already in the hands of the valid user when that user's permissions are updated.
– Wendell
1 Answers
2
votes
Authentication based on JWT tokens is stateless in serverside. So when a token is not expired it will work. There are some approaches to the problem:
- Not including the roles and permissions in the token claims and getting these values from the database in each request.
- Using refresh token mechanism and set a refreshing time to a few minutes and return a new token when refreshing time is expired. Therefore for the tokens with the expired refreshing time you know to get the new access permissions(not in each request). New permissions will set in few minutes but the authenticated user doesn't need to log in again.
- Creating a set of black-list tokens and append the last issued token to that (not recommended).
