authentication - Could we destroy JWT token in Asp.NET Core? -


i use asp.net core & asp.net core identity generate jwt token.

in client side, react (spa) app call api create token include authorization: bearer tokenfromapi in subrequests.

when want logout how can expire token in server side?

currently delete bear token in client side , not included in next request?

reference: https://blogs.msdn.microsoft.com/webdev/2017/04/06/jwt-validation-and-authorization-in-asp-net-core/

code in configure section in startup.cs 

app.usejwtbearerauthentication(new jwtbeareroptions {     automaticauthenticate = true,     automaticchallenge = true,     tokenvalidationparameters = new tokenvalidationparameters     {         validissuer = "mysite",         validaudience = "mysite",         validateissuersigningkey = true,         issuersigningkey = new symmetricsecuritykey(encoding.utf8.getbytes("veryl0ngkeyv@lueth@tissecure")),         validatelifetime = true     } });

api create token

[httppost("token")] public async task<iactionresult> createtoken([frombody] loginmodel model) {     try     {         var user = await usermanager.findbynameasync(model.email);         if (passwordhasher.verifyhashedpassword(user, user.passwordhash, model.password) == passwordverificationresult.success)         {              var claims = new[]             {                 new claim(jwtregisteredclaimnames.sub, user.username),                 new claim(jwtregisteredclaimnames.jti, guid.newguid().tostring()),                 new claim(jwtregisteredclaimnames.email, user.email)             };              var key = new symmetricsecuritykey(encoding.utf8.getbytes("veryl0ngkeyv@lueth@tissecure"));             var creds = new signingcredentials(key, securityalgorithms.hmacsha256);             var token = new jwtsecuritytoken(                 "mysite",                 "mysite",                 claims,                 expires: datetime.utcnow.addminutes(45),                 signingcredentials: creds);              return ok(new             {                 token = new jwtsecuritytokenhandler().writetoken(token),                 expiration = token.validto,             });         }         return badrequest();     }     catch (exception ex)     {         logger.logerror(ex.tostring());         return statuscode((int)httpstatuscode.internalservererror);     } }

you can't have expire, w/o losing of advantages of or making solution more complex.

best bet make access token time short enough (<= 5 mins) , refresh token long running.

but if want invalidate immediately, need few things:

  1. cache token's id once token created duration long expiration time of token (both, access , refresh token)
  2. [if farm/multiple instances]you need cache in distributed cache, redis
  3. [if farm/multiple instances]you need propagate via message bus (i.e. using redis, rabbitmq or azure message bus) every instance of application, can store in local memory cache (so don't have have network call, each time want validate it)
  4. during authorization, need validate if id still inside cache; if not, refuse authorization (401)
  5. when user logs out, need remove item cache.
  6. [if farm/multiple instances]remove item distributed cache , send message instances can remove local cache

other solutions not requiring message bus/distributable cache require contact auth server on every single request, killing main advantage of jwt token.

the main advantage of jwt self-contained , web service not have call service validate it. can validated locally validating signature (since token can't changed user w/o invalidating signature) , expiration time/audience token meant for.


Comments

Post a Comment

Popular posts from this blog

Is there a better way to structure post methods in Class Based Views -

i'm using class based views in django , never specify url in ajax calls , omit action parameter in form because know these requests go through post method of class based view. notice view - profile page make many requests depending on user updating on page - post method become convoluted , if/else mess example: def post(self, request, *args, **kwargs): # handle user changing available date if request.post.get('availabledate') != none: self.updateavailabledate(request) return jsonresponse({'result':'success'}) if request.post.get('newprojectname') != none: creative_user = creativeuserprofile.objects.get(id = request.user.id) project = project.create_project(creative_user, request.post['newprojectname']) project.save() return jsonresponse({'projectid': project.id }) if request.post.get('projectimage') != none , request.files['file']: proj
Read more

performance - Why is XCHG reg, reg a 3 micro-op instruction on modern Intel architectures? -

i'm doing micro-optimization on performance critical part of code , came across sequence of instructions (in at&t syntax): add %rax, %rbx mov %rdx, %rax mov %rbx, %rdx i thought had use case xchg allow me shave instruction , write: add %rbx, %rax xchg %rax, %rdx however, dimay found agner fog's instruction tables , xchg 3 micro-op instruction 2 cycle latency on sandy bridge, ivy bridge, broadwell, haswell , skylake. 3 whole micro-ops , 2 cycles of latency! 3 micro-ops throws off 4-1-1-1 cadence , 2 cycle latency makes worse original in best case since last 2 instructions in original might execute in parallel. now... cpu might breaking instruction micro-ops equivalent to: mov %rax, %tmp mov %rdx, %rax mov %tmp, %rdx where tmp anonymous internal register , suppose last 2 micro-ops run in parallel latency 2 cycles. given register renaming occurs on these micro-architectures, though, doesn't make sense me done way. why wouldn't register renamer
Read more

jquery - Responsive Navbar with Sub Navbar -

good day, forgive me nav vocabulary not best. if question confusing apologize. i'm working on navigation bar needs centered on page @ 768px , above. items in nav open (or perhaps toggle) subnav lives directly below. these nav should appear centered on page. i have been able work through responsive portion of nav bar, having main items align vertically , sub nav menu of each item roll out below, , gave them indent separation. working well. however, issue not responsive side, behavior @ width greater 768px. happens toggling menu's sub navigation pushes other main items down page below sub nav. here's code: $(document).ready(function () { //stick in fixed 100% height behind navbar don't wrap $('#slide-nav.navbar-inverse').after($('<div class="inverse" id="navbar-height-col"></div>')); $('#slide-nav.navbar-default').after($('<div id="navbar-height-col"></d
Read more