问题
I have implemented a JWT authentication and a policy-based authorization in ASP.NET Core. There is a certain user with admin privileges who can assign permissions to non-admin users. If the admin updates the permissions/claims of a non-admin user, is there a way to force expire the access token so that user carrying it will be forced to request a new access token with the newly updated permissions/claims? Right now, the only way to that is to wait for the token to expire but I want to force expire it immediately.
回答1:
Authentication based on JWT tokens is stateless in serverside. So when a token is not expired it will work. There are some approaches to the problem:
- Not including the roles and permissions in the token claims and getting these values from the database in each request.
- Using refresh token mechanism and set a refreshing time to a few minutes and return a new token when refreshing time is expired. Therefore for the tokens with the expired refreshing time you know to get the new access permissions(not in each request). New permissions will set in few minutes but the authenticated user doesn't need to log in again.
- Creating a set of black-list tokens and append the last issued token to that (not recommended).
来源:https://stackoverflow.com/questions/59213051/how-to-force-expire-a-jwt-token-in-asp-net-core