如何注销或过期 ASP.NET 内核 Web ZDB974238714CA8DE634A7CE1D08 的 JWT 令牌?
[英]How to logout or expire JWT token for ASP.NET Core Web API?
问题描述
I have created a token with:
我创建了一个令牌:
IdentityOptions identityOptions = new IdentityOptions();
var claims = new Claim[]
{
new Claim(identityOptions.ClaimsIdentity.UserIdClaimType, token.User.FirstOrDefault().ID.ToString()),
new Claim(identityOptions.ClaimsIdentity.UserNameClaimType,request.Local.UserName),
};
var signingKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("this-is-my-secret-key"));
var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256);
var jwt = new JwtSecurityToken(signingCredentials: signingCredentials, claims: claims, expires: DateTime.Now.AddHours(12));
Can you help me how to logout or expire this token for ASP.NET Core Web API?你能帮我如何注销或过期 ASP.NET Core Web API 的这个令牌吗? So the user will never use this token again.所以用户永远不会再使用这个令牌。
Thanks谢谢
1 个解决方案
解决方案1
1 2021-04-30 09:06:35
Once JWT is generated and sent to the client.一旦 JWT 生成并发送到客户端。 It cannot be change already (not by client itself and must go through back-end to get a new token).它已经无法更改(不是由客户端本身更改,并且必须通过后端 go 才能获得新令牌)。
In order to invalidate/revoke a JWT, you may have a Redis (recommended) or database to store those invalidated JTI (Token ID) that is associated with each JWT issued.为了使 JWT 无效/撤销,您可能有一个 Redis(推荐)或数据库来存储与每个 Z1D1FADBD9150349C1357819140FFFEE 相关联的无效 JTI(令牌 ID)。
If you do not wish to have Redis/database, then you must keep your JWT lifetime as short as possible like 5 minutes.如果您不希望拥有 Redis/数据库,那么您必须尽可能缩短 JWT 的生命周期,例如 5 分钟。 Then, when logout, remove the token from client side (local storage or cookie).然后,在注销时,从客户端(本地存储或 cookie)中删除令牌。 However, this approach does not invalidate JWT immediately, clients are still able to access to the API if they keep their token before we remove it.但是,这种方法不会立即使 JWT 失效,如果客户在我们删除它之前保留其令牌,他们仍然能够访问 API。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.