Canceling JWT tokens in .NET Core

Canceling JWT tokens in .NET Core

Quite some time ago I published an article (along with the source code) about refreshing the JWTtokens. In the following post, I’m going to focus on canceling the token, thus it can’t be used by anyone else. This tutorial includes the video, so it might be easier to understand the implementation flow.


 

Given that we do not make use of OAuth (IdentityServer etc.) what can we do in terms of canceling the active tokens? We have a few options:

  • Remove token on the client side (e.g. local storage) – will do the trick, but doesn’t really cancel the token.
  • Keep the token lifetime relatively short (5 minutes or so) – most likely we should do it anyway.
  • Create a blacklist of tokens that were deactivated – this is what we are going to focus on.

The important note is that in order to make it reliable we will use the Redis to store the deactivated tokens on an extremely fast caching server. Whether you host just a single instance of your application or multiple ones, it’s the best idea to use Redis – otherwise, when server goes down, you will lose all of the deactivated tokens blacklist being kept in a default server cache (not to mention the different data if each server would keep its own cache).

Alright, no more theory, proceed with coding, where we will start with the interface:

And process with its implementation, where the basic idea is to keep track of deactivated tokens only and remove them from a cache when not needed anymore (meaning when the expiry time passed) – they will be no longer valid anyway.

As you can see, there are 2 helper methods that will use the current HttpContext in order to make things even easier.
Next, let’s create a middleware that will check if the token was deactivated or not. That’s the reason why we should keep them in cache – hitting the database with every request instead would probably kill your app sooner or later (or at least make it really, really slow):

Eventually, let’s finish our journey with implementing an endpoint for canceling the tokens:

For sure, we could make it more sophisticated, via passing the token via URL, or by canceling all of the existing user tokens at once (which would require an additional implementation to keep track of them), yet this is a basic sample that just works.

Make sure that you will register the required dependencies in your container and configure the middleware:

And provide a configuration for Redis in appsettings.json file:

Try to run the application now and invoke the token cancelation endpoint – that’s it.
Source code is available here.

2 Comments Canceling JWT tokens in .NET Core

  1. Pingback: Canceling JWT tokens in .NET Core - How to Code .NET

  2. usps tracking

    The article is great and very detailed, easy to understand, I also read many other articles and I found your article has helped me a lot of information, thank you for sharing.

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *