Base solution for your next web application
Open Closed

JWT authentication problem #2952


User avatar
0
parviz created

Hi dears, I have a question about ASP.NET Core Web Api + Angular4 template. You are using JWT for authentication. My question is about it. If I change password or something about the user JWT validation have to fail and new JWT token should be needed. (f.e. security reasons, user blocked, password changed). Currently in your template validation fails only when expire date reaches. In our project we have strict rules for such cases. What should we use in order to invalidate current user token if something(f.e. password, username) about user changed ? P.S. When generating JWT token a number of claims is used. For example: username, role, security stamp. Are this claims validated also then JWT token validated ? I think no. Because I changes the username and token still successfully validated or when password is changed new security stamp generated. But token still successfully validated. I think it is a big problem.


6 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    I think you can define OnTokenValidated of JwtBearerEvents in CreateJwtBearerAuthenticationOptions method in AuthConfigurer class and check user's password with token by using UserManager.

    Please let us know if this does not work for you.

    Thanks.

  • User Avatar
    0
    parviz created

    Ok. Thank you. This will help. But what I have to do in order to return 401 result from here ?(I mean token is invalid response and this have to cause redirecting login page)

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    I haven't tried running it but you can do it like this.

    private static Task Test(TokenValidatedContext arg)
    {
        var userManager = arg.HttpContext.RequestServices.GetService(typeof(UserManager));
        //validate user's pass with 
        arg.Response.StatusCode = 401;
        return Task.CompletedTask;
    }
    
    var userManager = arg.HttpContext.RequestServices.GetService(typeof(UserManager));
    

    This line should give you an instance of UserManager using DI, then you can use it to check info in toekn and user's real data.

    By the way, you can use a security stamp for doing this. This issue can help you <a class="postlink" href="https://github.com/aspnetboilerplate/aspnetboilerplate/issues/818">https://github.com/aspnetboilerplate/as ... issues/818</a>.

    Thanks.

  • User Avatar
    0
    parviz created

    Dear Ismail, I validated token with security stamp also. Your above solution doesn't work. I have tried it before you. It gives error in UI. Redirecting to /account/login happens when AbpSession.UserId is null. For this I think claims extracted from token somehow should be removed.

    I am using Asp.Net Core and Angular 4 template. Could you please provide working solution for this case ?

  • User Avatar
    0
    parviz created

    Dears, Any update on below case ? It is important for us. We want to invalidate request when user's security stamp changed. In order to redirect user to /account/login AbpSession.UserId should null. How can I achive for this ?

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    I have tried the solution above, returning 401, and in my tests it is returning 404 using postman. When I send an invalid token it also returns 404. I think this is related to <a class="postlink" href="https://github.com/aspnet/Security/issues/292">https://github.com/aspnet/Security/issues/292</a>.

    Thanks.