1
Reply

How does ASP.NET Core handle token revocation in JWT-based authentication?

    ASP.NET Core uses JWT (JSON Web Tokens) for stateless authentication, meaning once a JWT is issued, it is typically valid until it expires—there is no built-in server-side session tracking. This stateless nature makes token revocation a bit tricky, as there’s no centralized place to invalidate a token once it’s been issued. However, there are several strategies to implement token revocation effectively in ASP.NET Core:

    🔐 1. Use Short-lived Access Tokens with Refresh Tokens
    Access token: Short-lived (e.g., 5–15 minutes).

    Refresh token: Long-lived and stored securely (typically in a database).

    If you need to revoke a token, invalidate the corresponding refresh token in the DB.

    The access token will naturally expire soon, and the revoked refresh token will block further access.

    How to revoke: Mark the refresh token as invalid in your database.

    🛑 2. Maintain a Token Blacklist
    Store a list of revoked JWTs (by jti or token string) in a database or distributed cache like Redis.

    On each request, check if the incoming token’s jti (JWT ID) is in the blacklist.

    Steps:

    Include a jti claim in your JWTs.

    On logout or revocation, store the jti in a blacklist.

    Middleware or a custom policy checks the blacklist on each request.

    📌 Note: This adds a stateful layer, partially defeating the purpose of JWT’s statelessness, but it’s effective.

    🧠 3. Use ASP.NET Core Data Protection Tokens
    If you need revocable tokens and don’t want to use JWT, ASP.NET Core has built-in data protection token providers (used in Identity framework) that allow token revocation by changing the signing key, user stamp, etc. These aren’t JWTs, but useful for some scenarios like email confirmation and password reset.

    🧾 4. Use Token Versioning (per user)
    Store a token version field in the user record in the DB.

    Include the token version as a claim in the JWT.

    When verifying the JWT, compare the token version in the DB and token.

    If a user changes their password or logs out, increment the token version to revoke existing tokens.