How does ASP.NET Core handle token revocation in JWT-based authentication?
Sardar Mudassar Ali Khan
ASP.NET Core uses JWT (JSON Web Tokens) for stateless authentication, meaning once a JWT is issued, it is typically valid until it expiresāthere is no built-in server-side session tracking. This stateless nature makes token revocation a bit tricky, as thereās no centralized place to invalidate a token once itās been issued. However, there are several strategies to implement token revocation effectively in ASP.NET Core:
š 1. Use Short-lived Access Tokens with Refresh TokensAccess token: Short-lived (e.g., 5ā15 minutes).
Refresh token: Long-lived and stored securely (typically in a database).
If you need to revoke a token, invalidate the corresponding refresh token in the DB.
The access token will naturally expire soon, and the revoked refresh token will block further access.
How to revoke: Mark the refresh token as invalid in your database.
š 2. Maintain a Token BlacklistStore a list of revoked JWTs (by jti or token string) in a database or distributed cache like Redis.
On each request, check if the incoming tokenās jti (JWT ID) is in the blacklist.
Steps:
Include a jti claim in your JWTs.
On logout or revocation, store the jti in a blacklist.
Middleware or a custom policy checks the blacklist on each request.
š Note: This adds a stateful layer, partially defeating the purpose of JWTās statelessness, but itās effective.
š§ 3. Use ASP.NET Core Data Protection TokensIf you need revocable tokens and donāt want to use JWT, ASP.NET Core has built-in data protection token providers (used in Identity framework) that allow token revocation by changing the signing key, user stamp, etc. These arenāt JWTs, but useful for some scenarios like email confirmation and password reset.
š§¾ 4. Use Token Versioning (per user)Store a token version field in the user record in the DB.
Include the token version as a claim in the JWT.
When verifying the JWT, compare the token version in the DB and token.
If a user changes their password or logs out, increment the token version to revoke existing tokens.