I'm trying to figure out what would be the best way to invalidate a jwt token. Reading other questions I could not understand what is the best way.
My backend is configured as follows: I have 3 web APIs, one of which is configured with asp net identity jwt. The client in order to use the other 2 web API must first request a jwt token to the login API.
Doing tests I realized that if a user requests a token and immediately after reset the password, the token is not invalidated, because the validation on the other apis considers only issuer and audienceSecret
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new[] { audienceId },
IssuerSecurityTokenProviders = new IIssuerSecurityTokenProvider[]
{
new SymmetricKeyIssuerSecurityTokenProvider(issuer, audienceSecret)
}
});
Is there any way to invalidate the token?
Thanks for your help
No, it is not. A token is meant to be like that. THis is why in most cases people work with 2 tokens a - short lived access token (that is just taken for granted) and a long lived refresh token. And you check again every time you turn out a new access token fora given refresh token.
What you can do is have the authentication endpoint CHECK the token against invalidation. This will create a very high number of requests. It is not needed in most cases.
In your example, i.e. why should the token be invalidated? The user changed the password - he did not log out.