Logout In JWT Asp.net core RRS feed

  • Question

  • User338455301 posted


    when user click logout i want invalid or remove or expired token from jwt in .net core api ,

    how to do it ?

    Saturday, July 13, 2019 4:43 AM

All replies

  • User475983607 posted

    when user click logout i want invalid or remove or expired token from jwt in .net core api ,

    how to do it ?

    It depends on how you designed the token validation. 

    If you wrote the client code then simply delete the token on the client.  Otherwise, the server needs a copy of the token perhaps stored in a database.  Update the database record when the user logs out.  Of course the server code needs to compare the token in the request to the database on each request.

    Can you explain the design?   Or provide code?  Anything?

    Saturday, July 13, 2019 11:18 AM
  • User338455301 posted


                var secretKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("Itisa Secret Key Abroon"));
                var signinCredentials = new SigningCredentials(secretKey, SecurityAlgorithms.HmacSha256);
                var tokenOption = new JwtSecurityToken(
                    issuer: "https://itisa.abroon.net",
                    claims: new List<Claim>
                        new Claim(ClaimTypes.Name,user.UserName),
                        new Claim(ClaimTypes.Role,"Customer")
                    expires: DateTime.Now.AddHours(1),  
                    signingCredentials: signinCredentials
                var token = new JwtSecurityTokenHandler().WriteToken(tokenOption);
                return token;

    i just create token and send to client and client send on header for his requests

    and get user of token with below code

      var user = await _userRepository.GetAsync(x => x.UserName == User.Identity.Name);

    and i dont store token any where (database , ...)

    and i want when client requested logout the token set expired or removed or invalidate , how to do it ?

    Sunday, July 14, 2019 4:39 AM
  • User475983607 posted

    and i want when client requested logout the token set expired or removed or invalidate , how to do it ?

    Asking the same question twice without making code changes indicates that you do not understand how JWTs work and you think there is a magical line of code you can write to force a client to expire the token.  Simply, this is an application feature.  If you have not designed and coded this feature then this feature does not exist in your application.

    The code shown creates a token and gives the token to the client.  From this point, the client owns the token.  The client can do whatever the client likes with the token.  You have not posted any client code and therefore we have no idea how you designed the client or if expiring the JWT on the client is possible.  We have no idea if you have control over the client code.

    In order for the server to invalidate the client's token the server must have a record of the user's token.  This is very standard state management in web applications.  The server logic uses the client's token to lookup the token record.  If the token record is expired then the server returns a 401.  The validation happens on each request and it is code that you must design and write.  

    Sunday, July 14, 2019 11:41 AM
  • User1724605321 posted

    Hi elahi1mahdi,

    Revoke the jwt token is not easy , there is no standard way to revoke access tokens unless the Authorization Server implements custom logic which forces you to store generated access token in database and do database checks with each request.

    A simply way is using short lived access tokens and refresh token , use refresh token to renew the access token , if you want to revoke the user , revoke the refresh token on server side , clear refresh token and access token on client side .

    Best Regards,

    Nan Yu

    Monday, July 15, 2019 1:49 AM
  • User338455301 posted

    Ok, but i can't find any code for revoke it 

    Monday, July 15, 2019 4:21 AM
  • User-474980206 posted
    You need to write that code. You could store the token server side in a database, with a valid column. When you create the token, mark as valid, on logout mark as invalid. You then check if the token is valid on every request. You could add a validation claim to the token, and just track the validation claim in the database.

    Monday, July 15, 2019 3:55 PM