7

I have implemented JWT Bearer token base authentication and authorization. I am using the below code for destroying the JWT token or logout the current user but it's not working.

//var claim = _httpContextAccessor.HttpContext.User.Claims;
            // var users = await _userManager.FindByNameAsync(_httpContextAccessor.HttpContext.User.Identity.Name);
            //  var identity = _httpContextAccessor.HttpContext.User.Identity as ClaimsIdentity;
            // foreach (var item in claim)
            // {
            //     identity.RemoveClaim(item);
            // }

            await _signInManager.SignOutAsync();
Sumit Rawat
  • 151
  • 1
  • 2
  • 4
  • 1
    Welcome to Stack Overflow, @SumitRawat. In what way is your code not working? What result are you getting? What result do you expect? – Degan Sep 11 '17 at 17:55
  • I maybe wrong here so if someone else knows better please leave a comment. I thought JWT Bearer tokens should be revoked client side? – David Lee Sep 11 '17 at 18:01
  • Yes @DavidLee i want to revoke JWT bearer token from server . In above code i am just tring to remove claims of the user – Sumit Rawat Sep 11 '17 at 18:06
  • is there any way to ivalidate token or change the expiry date into past? – Sumit Rawat Sep 11 '17 at 18:07
  • Possible duplicate of [How can I revoke a JWT token?](https://stackoverflow.com/questions/31919067/how-can-i-revoke-a-jwt-token) – David Lee Sep 11 '17 at 18:30
  • @SumitRawat View my link above, seems like this is not an easy thing to do. – David Lee Sep 11 '17 at 18:30
  • There is also this reference: https://forums.asp.net/t/2023270.aspx?How+to+revoke+invalidate+Bearer+token+in+Asp+Net+WebApi+2+2+when+using+OAuth says there is not built in functionality. – David Lee Sep 11 '17 at 18:34
  • Everywhere it is showing that it's not easy to do but my actual problem is that when i am changing the password after that token is generated only by the previous credential – Sumit Rawat Sep 12 '17 at 13:39

1 Answers1

4

It is not possible to cancel/revoke a JWT token during user's logout, it is not straightforward, but there is a workaround to that. You can try following the steps below:

  • Set a reasonable expiration time on tokens
  • Delete the stored token from client side upon log out
  • Have DB of no longer active tokens that still have some time to live
  • Query provided token against The Blacklist on every authorized request

I am also pasting 2 links below that myself found very helpful:

vasilisdmr
  • 554
  • 8
  • 15