简体繁体 English

ASP.NET 核心。更改密码后如何使 JWT-Token 失效

[英]ASP.NET Core. How can I invalidate JWT-Token after password change

原文 2019-04-01 16:13:53 2 2 c#/ asp.net/ vue.js

Sorry for my bad English.对不起，我的英语不好。 I'm writing an application in ASP.NET Core using Vue.JS for client-side.我正在使用 Vue.JS 为客户端在 ASP.NET Core 中编写应用程序。 For authenticate user I'm using JWT and ASP.NET Identity.对于身份验证用户，我使用 JWT 和 ASP.NET Identity。 I have a method for change the password.我有一个更改密码的方法。 But I can't understand: How to invalide token after password change?但我不明白：如何在密码更改后使令牌无效？ I want that the user authenticated in another browser will logout after that.我希望在另一个浏览器中通过身份验证的用户将在此之后注销。 Is there a man who haved a problem like this?有遇到这种问题的人吗？

2 个解决方案

You normally don't invalidate JWT's because they are meant to be short-lived access tokens and therefore after the password change, request for new token will prompt the user to reenter credentials. 您通常不会使JWT无效，因为它们是短期访问令牌，因此在更改密码后，请求新令牌将提示用户重新输入凭据。

If you do absolutely need to invalidate the JWT immediatelly after password change - you need to look into Introspection where your backend api essentially has a backchannel to your token issuer and it can then re-validate token every request. 如果您确实需要在更改密码后立即使JWT无效 - 您需要查看Introspection ，您的后端api实际上有一个反向通道到您的令牌发行者，然后它可以重新验证每个请求的令牌。 This way if you invalidate token at the issuer side - it will reflect on the api side immediately. 这样，如果您在发行方一方使令牌无效 - 它将立即反映在API方面。

I've been thinking about this and the inability to invalidate a JWT that's already out there may not be built into anything, but is possible.我一直在考虑这个问题，无法使已经存在的 JWT 无效可能不会被内置到任何东西中，但这是可能的。

Here's the narrative: You have an alarm system installed that can be controlled via web and your ex-S/O is logged in to your previously shared account.叙述如下：您安装了一个可以通过网络控制的警报系统，并且您的前 S/O 已登录到您之前共享的帐户。 They are upset and they keep enabling the alarm at random times.他们心烦意乱，总是在随机时间启用警报。 If the web app uses JWTs to store session, you could change your password but the JWT your ex possesses will still be usable for a period of time until the timeout is reached.如果 Web 应用程序使用 JWT 来存储会话，您可以更改密码，但您前任拥有的 JWT 仍然可以使用一段时间，直到超时。

Solution 1: short timeout.解决方案1：短超时。 but what if you want to stay logged in for longer periods (such as a password manager)但是如果您想长时间保持登录状态（例如密码管理器）怎么办
Solution 2: logout ALL users by changing the Signing Key of your Certified Authority, basically invalidating ALL JWTs across the board.解决方案 2：通过更改认证机构的签名密钥注销所有用户，基本上使所有 JWT 全面失效。 This is still a less ideal route as I'm sure you can imagine.这仍然是一条不太理想的路线，我相信您可以想象。
Solution 3: track the current JWT for each user in your Users table.解决方案 3：跟踪用户表中每个用户的当前 JWT。 If the JWT they possess is different from the current one, then they aren't authenticated.如果他们拥有的 JWT 与当前的 JWT 不同，那么他们就不会被认证。 If the user logs out, nullify the stored JWT-data in your Users table which would equally unauthenticate JWTs for that user and force a relogin.如果用户注销，请取消用户表中存储的 JWT 数据，这同样会对该用户的 JWT 进行身份验证并强制重新登录。 I'd also recommend storing a bool of "logged in" for the user.我还建议为用户存储一个“登录”的布尔值。 DO NOT RELY ON THIS.不要依赖于此。 This would be a value to set to true when they log in, set it to false when they log out, and validate the value is 'true' if they ever pass you a JWT.这将是一个在他们登录时设置为 true 的值，当他们注销时将其设置为 false，并在他们向您传递 JWT 时验证该值是否为“true”。 This will ensure that the moment they logout they are forced to reauthenticate.这将确保他们在注销时被迫重新进行身份验证。

Assuming you go with solution 3:假设您使用解决方案 3：

When storing JWT data for this solution, I'm leaning towards not storing the entire JWT because it's rather large text to begin with.在为这个解决方案存储 JWT 数据时，我倾向于不存储整个 JWT，因为它开始时是相当大的文本。 Alternatively just store the JWS (JWT Signature) which will make the stored value both smaller and unusable if captured for any reason.或者，只需存储 JWS（JWT 签名），如果因任何原因被捕获，这将使存储的值更小且不可用。 Next, it's a hash to begin with so we could just store the last maybe 9 values (9 because int32 max is 2147483647).接下来，它是一个哈希值，所以我们可以只存储最后的 9 个值（9 个，因为 int32 最大值是 2147483647）。 We just need a bit of uniqueness, not much.我们只需要一点独特性，并不多。 Next, we could avoid the string comparison for validating that the JWS passed is the active one if we use regex to pull the integers out of the JWS and again take maybe the first 9 numbers you encounter.接下来，如果我们使用正则表达式从 JWS 中提取整数并再次取您遇到的前 9 个数字，我们可以避免字符串比较以验证传递的 JWS 是活动的。

Following this method, and returning to the narrative, if you were to log out your user would be marked as logged out resulting in both yourself and your S/O being required to reauthenticate.按照这种方法，回到叙述，如果您要注销，您的用户将被标记为已注销，导致您和您的 S/O 都需要重新进行身份验证。 (assuming you've changed your password you're golden, otherwise it's time to contact Customer Support) If you were to log back in, you'd get a fresh JWT and a new signature would be stored in the Users table. （假设您已经更改了密码，那么您就是黄金，否则是时候联系客户支持了）如果您要重新登录，您将获得一个新的 JWT，并且一个新的签名将存储在用户表中。 If your S/O were to try to use the site, they would not be authenticated with the their old JWT and would be forced to sign back in.如果您的 S/O 尝试使用该站点，他们将无法通过旧的 JWT 进行身份验证，并会被迫重新登录。

Trade-off: If we only store the JWS, or a part of it as I suggested, multiple users can't be signed in to the same account at once.权衡：如果我们只存储 JWS，或者按照我的建议存储其中的一部分，则多个用户无法同时登录同一个帐户。 How you feel should feel about that really depends on your app.您对此的感受实际上取决于您的应用程序。