locked
How Web API token is validated . RRS feed

  • Question

  • User390567641 posted

    In Token based authentication in API.

    Suppose i have  login with valid credential and created first token and it expiry time is one day and kept this token.

    The i have logout and  re-login with valid credential and created second token and it expiry time is one day and kept second token.

    Can we access resources from first token before expiration  and if no then how first token is validated  that it is not valid token now. because token are not store at server site. token have encrypted information of user and expiry time but not stored on server.

    Any one has any idea about this.....

    Thanks 

    Monday, November 19, 2018 11:45 AM

All replies

  • User475983607 posted

    The client application is responsible for saving the token.  You're client application will need to store both token which is unusual.  Whether the first token works or not is dependent on how your code works which we cannot see.

    Monday, November 19, 2018 12:37 PM
  • User390567641 posted

    We knew that we will kept at client side. But I want to knew that how server will validate my first token as in valid if server is not storing any thing..
    Monday, November 19, 2018 1:32 PM
  • User475983607 posted


    We knew that we will kept at client side. But I want to knew that how server will validate my first token as in valid if server is not storing any thing..

    Again, we cannot see your code.  Only you can answer this question. 

    How does your server validate tokens currently?  What kind of token are your using?  What protocol are you using?

    Monday, November 19, 2018 2:03 PM
  • User-474980206 posted

    the typical server validation is to check the expiration and signature. if you want more you will need to code it. you could keep last logout time in the token and verify on every request.

    Monday, November 19, 2018 3:09 PM
  • User1724605321 posted

    Hi farhanahmad212 ,

    As @Bruce said , server side validation usually is checking token's expire time , signature , issuer . Once the user obtains access token he’ll be able to access the server resources as long as his access token is not expired, there is no standard way to revoke access tokens unless the Authorization Server implements custom logic which forces you to store generated access token in database and do database checks with each request.

    Best Regards,

    Nan Yu

    Tuesday, November 20, 2018 3:02 AM