1

We have used JWT authentication scheme and resource owner password grant type with identity server. Backend is .Net core based micro services which is providing access token to angular based front end website.

As jwt token is not revocable and business requirement is to have longer access token lifetime, it seems only option is to have track of blacklisted tokens in database or cache.

Is there any way to modify the access token on backend and make it expire immediately when user triggers log out from frontend?

Pratik
  • 11
  • 1
  • 3
  • Please note that the resource owner password credentials (ROPC) flow is a security threat. It's [not recommended](https://www.scottbrady91.com/OAuth/Why-the-Resource-Owner-Password-Credentials-Grant-Type-is-not-Authentication-nor-Suitable-for-Modern-Applications) and is (probably for that reason) no longer part of the [documentation](http://docs.identityserver.io/en/latest/topics/grant_types.html). –  Jan 12 '20 at 08:33

2 Answers2

2

JWT cannot be revoked, it is by design as it is self-contained. Revocable alternative is Reference token which is not self-contained and thus server needs to actively communicate with identity server.

The compromise and common approach is to set access token lifetime to lower value and increase refresh token lifetime. Refresh tokens are revocable - it is supported by identity server 4 as well. So it is all about trade-off between the frequency of communication with your Identity server and long access token lifetime.

Mayo
  • 859
  • 2
  • 10
  • 14
0

The JWT tokens are stored in the browser, so you can delete the cookie of it. But this option gives no security on the server side.

If you are worried about deleted/suspended accounts then yes, you have either to create a blacklist but you have to compare them for each request.

The other option is to reduce the expire times and rotate them. there is a post with more details here Invalidating JSON Web Tokens

TiGreX
  • 1,602
  • 3
  • 26
  • 41
  • Short expire time is one solution but requirement is to have long expire time. It would be great if there is some way in identity server to modify access token by setting expire time to current time or some other mechanism. – Pratik Jan 11 '20 at 14:40