JWT authentication with UseTokenCookie and IUserSessionSourceAsync

ServiceStack Authentication
1

Hello

Dart client:

...
Future<LoggedUser> authenticate(
    String baseUrl,
    String username,
    String password,
  ) async {
    final clientOptions = ClientOptions(baseUrl: baseUrl);
    _client = ClientFactory.createWith(clientOptions);

    final req = Authenticate(
      provider: "credentials",
      userName: username,
      password: password,
      useTokenCookie: true,
    );

    final res = await client.send(req);

    return LoggedUser(displayName: res.displayName ?? "");
  }
...

Auth feature configuration:

...
appHost.Plugins.Add(new AuthFeature(() =>
                new WcsUserSession(),
                new IAuthProvider[]
                {
                    new JwtAuthProvider(appHost.AppSettings)
                    {
                        RequireSecureConnection = false,
                        UseTokenCookie = true,
                        AuthKeyBase64 = appHost.AppSettings.GetString("AuthKeyBase64"),
                        ExpireTokensIn = TimeSpan.FromMinutes(1),
                        ExpireRefreshTokensIn = TimeSpan.FromDays(365 * 50),
                        CreatePayloadFilter = (payload,session) =>
                        {
                            payload["external_id"] = ((WcsUserSession)session).ExternalId?.ToString();
                        },
                        PopulateSessionFilter = (session, payload, _) =>
                        {
                            if (session is not WcsUserSession userSession) return;
                            userSession.ExternalId = payload["external_id"];
                        }
                    },
                    new WcsCredentialsAuthProvider(),
                    new WcsBasicAuthProvider()
                })
            {
                IncludeDefaultLogin = false,
                IncludeAssignRoleServices = false,
                IncludeRegistrationService = false
            });
        });
...

WcsCredentialsAuthProvider

...
public class WcsCredentialsAuthProvider : CredentialsAuthProvider, IUserSessionSourceAsync
{
    public override async Task<bool> TryAuthenticateAsync(IServiceBase authService, string userName, string password, CancellationToken ct = new())
    {
        using var db = await authService.TryResolve<IDbConnectionFactory>().OpenAsync(ct);
        try
        {
            var user = await db.SingleAsync<User>(x => x.Username == userName, token: ct);

            if (user == null || !authService.TryResolve<IPasswordHasher>().VerifyPassword(user.Password, password, out _))
                throw HttpError.Unauthorized(Msgs.Get(Qualifier.Unauthorized));
            
            if (!user.Active ?? true)
                throw HttpError.Forbidden(Msgs.Get(Qualifier.Forbidden));
                
            var session = (WcsUserSession)await authService.GetSessionAsync(token: ct);
            session.DisplayName = user.DisplayName;
            session.UserAuthId = user.Id.ToString();
            session.UserAuthName = user.Username;
            session.IsAuthenticated = true;
            session.Roles = [user.Role.ToString() ?? throw new ArgumentException(Msgs.Get(Qualifier.FatalError))];
            session.AuthProvider = "credentials";
            session.UserName = user.Username;
            session.IpAddress = authService.Request.RemoteIp;
            session.ExternalId = user.ExternalId;
            
            await db.LogEventAsync(LogEventType.Login, $"{userName} (IP: {authService.Request.RemoteIp ?? "N/A"})", ct);
            return true;
        }
        catch (Exception e)
        {
            await db.LogEventAsync(LogEventType.LoginFailed, $"{userName} | {password} | {e.Message} (IP: {authService.Request.RemoteIp ?? "N/A"})", ct);
            throw;
        }
    }

    public async Task<IAuthSession> GetUserSessionAsync(string userAuthId, CancellationToken ct = new())
    {
        using var db = await HostContext.TryResolve<IDbConnectionFactory>().OpenAsync(ct);
        var user = await db.SingleByIdAsync<User>(userAuthId.ToLong(-1), token: ct);
        
        if (user == null)
            throw HttpError.Unauthorized(Msgs.Get(Qualifier.Unauthorized));
        
        if (!(user.Active ?? true))
            throw HttpError.Forbidden(Msgs.Get(Qualifier.Forbidden));

        var session = new WcsUserSession
        {
            DisplayName = user.DisplayName,
            UserAuthId = user.Id.ToString(),
            UserAuthName = user.Username,
            IsAuthenticated = true,
            Roles = [user.Role.ToString() ?? throw new ArgumentException(Msgs.Get(Qualifier.FatalError))],
            AuthProvider = "credentials",
            UserName = user.Username,
            ExternalId = user.ExternalId
        };

        return session;
    }
}
...

Client authenticates successfully.
After one minute client token has expired and it triggers GetUserSessionAsync, but after initial token expiration GetUserSessionAsync is triggered on every request.

Message logged on server is:
JWT BearerToken 'eyJ0...' failed: Token has expired, trying Refresh Token...

I guess that bearer token is not refreshed on client side after reauthentication (GetUserSessionAsync).
I also have spa app that uses same api via javascript and this behavior is not observed.

Am I missing something?

Kind regards

2

What’s the HTTP Response Headers for the initial Authentication request and the Refresh Token Request? (scrub any sensitive info with xxxx)

3

How to get that for Dart client?

4

If it’s not from a browser you can use a HTTP Packet sniffer like WireShark, HTTP Toolkit, tcpdump, Fiddler, etc.

5

Additional info, I’m using flutter android client.

REQUEST:

Hypertext Transfer Protocol
    POST /api/Authenticate HTTP/1.1\r\n
        Request Method: POST
        Request URI: /api/Authenticate
        Request Version: HTTP/1.1
    user-agent: Dart/3.7 (dart:io)\r\n
    content-type: application/json; charset=utf-8\r\n
    accept: application/json\r\n
    accept-encoding: gzip\r\n
    content-length: 297\r\n
        [Content length: 297]
    host: 10.10.10.109:5002\r\n
    \r\n
    [Response in frame: 76]
    [Full request URI: http://10.10.10.109:5002/api/Authenticate]
    File Data: 297 bytes
JavaScript Object Notation: application/json
    Object
        Member: provider
            [Path with value: /provider:credentials]
            [Member with value: provider:credentials]
            String value: credentials
            Key: provider
            [Path: /provider]
        Member: state
            [Path with value: /state:null]
            [Member with value: state:null]
            Null value
            Key: state
            [Path: /state]
        Member: oauth_token
            [Path with value: /oauth_token:null]
            [Member with value: oauth_token:null]
            Null value
            Key: oauth_token
            [Path: /oauth_token]
        Member: oauth_verifier
            [Path with value: /oauth_verifier:null]
            [Member with value: oauth_verifier:null]
            Null value
            Key: oauth_verifier
            [Path: /oauth_verifier]
        Member: userName
            [Path with value: /userName:a]
            [Member with value: userName:a]
            String value: a
            Key: userName
            [Path: /userName]
        Member: password
            [Path with value: /password:a]
            [Member with value: password:a]
            String value: a
            Key: password
            [Path: /password]
        Member: rememberMe
            [Path with value: /rememberMe:null]
            [Member with value: rememberMe:null]
            Null value
            Key: rememberMe
            [Path: /rememberMe]
        Member: continue
            [Path with value: /continue:null]
            [Member with value: continue:null]
            Null value
            Key: continue
            [Path: /continue]
        Member: nonce
            [Path with value: /nonce:null]
            [Member with value: nonce:null]
            Null value
            Key: nonce
            [Path: /nonce]
        Member: uri
            [Path with value: /uri:null]
            [Member with value: uri:null]
            Null value
            Key: uri
            [Path: /uri]
        Member: response
            [Path with value: /response:null]
            [Member with value: response:null]
            Null value
            Key: response
            [Path: /response]
        Member: qop
            [Path with value: /qop:null]
            [Member with value: qop:null]
            Null value
            Key: qop
            [Path: /qop]
        Member: nc
            [Path with value: /nc:null]
            [Member with value: nc:null]
            Null value
            Key: nc
            [Path: /nc]
        Member: cnonce
            [Path with value: /cnonce:null]
            [Member with value: cnonce:null]
            Null value
            Key: cnonce
            [Path: /cnonce]
        Member: useTokenCookie
            [Path with value: /useTokenCookie:true]
            [Member with value: useTokenCookie:true]
            True value
            Key: useTokenCookie
            [Path: /useTokenCookie]
        Member: accessToken
            [Path with value: /accessToken:null]
            [Member with value: accessToken:null]
            Null value
            Key: accessToken
            [Path: /accessToken]
        Member: accessTokenSecret
            [Path with value: /accessTokenSecret:null]
            [Member with value: accessTokenSecret:null]
            Null value
            Key: accessTokenSecret
            [Path: /accessTokenSecret]
        Member: meta
            [Path with value: /meta:null]
            [Member with value: meta:null]
            Null value
            Key: meta
            [Path: /meta]

RESPONSE:

Hypertext Transfer Protocol, has 3 chunks (including last chunk)
    HTTP/1.1 200 OK\r\n
        Response Version: HTTP/1.1
        Status Code: 200
        [Status Code Description: OK]
        Response Phrase: OK
    Content-Type: application/json; charset=utf-8\r\n
    Date: Wed, 02 Apr 2025 11:19:33 GMT\r\n
    Server: Kestrel\r\n
    Access-Control-Allow-Credentials: true\r\n
    Access-Control-Allow-Headers: Content-Type\r\n
    Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD\r\n
    Access-Control-Max-Age: 600\r\n
    Set-Cookie: ss-id=RRo2hftSol6HthQSw6Gw; path=/; samesite=strict; httponly\r\n
    Set-Cookie: ss-pid=OCs9q4gBk7TK6BhKExDL; expires=Sun, 02 Apr 2045 11:18:02 GMT; path=/; samesite=strict; httponly\r\n
    Set-Cookie: ss-opt=temp; expires=Sun, 02 Apr 2045 11:18:02 GMT; path=/; samesite=strict; httponly\r\n
     […]Set-Cookie: ss-tok=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6Im9wViJ9.eyJzdWIiOjMsImlhdCI6MTc0MzU5Mjc3MywiZXhwIjoxNzQzNTkyODMzLCJuYW1lIjoiYSIsInByZWZlcnJlZF91c2VybmFtZSI6ImEiLCJyb2xlcyI6WyJUZXJtaW5hbCJdLCJqdGkiOjksImV4dGVybmFsX2lkI
     […]Set-Cookie: ss-reftok=eyJ0eXAiOiJKV1RSIiwiYWxnIjoiSFMyNTYiLCJraWQiOiJvcFYifQ.eyJzdWIiOjMsImlhdCI6MTc0MzU5Mjc3MywiZXhwIjozMzIwMzkyNzczLCJqdGkiOi0yfQ.DzCfmJrGHZ6O3Y299G8sMqEVkDs-v5Dh1b4dViM1LwU; expires=Thu, 21 Mar 2075 11:19:33 GMT; p
    Transfer-Encoding: chunked\r\n
    Vary: Accept\r\n
    X-Cookies: ss-tok,ss-reftok\r\n
    \r\n
    [Request in frame: 67]
    [Time since request: 0.009343000 seconds]
    [Request URI: /api/Authenticate]
    [Full request URI: http://10.10.10.109:5002/api/Authenticate]
    HTTP chunked response
        Data chunk (1024 octets)
            Chunk size: 1024 octets
            Chunk data […]: 7b22757365724964223a2233222c2273657373696f6e4964223a2252526f32686674536f6c36487468515377364777222c22757365724e616d65223a2261222c22646973706c61794e616d65223a2261222c2270726f66696c6555726c223a22646174613a696d6167652f7376672
            Chunk boundary: 0d0a
        Data chunk (29 octets)
            Chunk size: 29 octets
            Chunk data: 737667253345222c22726f6c6573223a5b225465726d696e616c225d7d
            Chunk boundary: 0d0a
        End of chunked encoding
            Chunk size: 0 octets
        \r\n
    File Data: 1053 bytes
JavaScript Object Notation: application/json
    Object
        Member: userId
            [Path with value: /userId:3]
            [Member with value: userId:3]
            String value: 3
            Key: userId
            [Path: /userId]
        Member: sessionId
            [Path with value: /sessionId:RRo2hftSol6HthQSw6Gw]
            [Member with value: sessionId:RRo2hftSol6HthQSw6Gw]
            String value: RRo2hftSol6HthQSw6Gw
            Key: sessionId
            [Path: /sessionId]
        Member: userName
            [Path with value: /userName:a]
            [Member with value: userName:a]
            String value: a
            Key: userName
            [Path: /userName]
        Member: displayName
            [Path with value: /displayName:a]
            [Member with value: displayName:a]
            String value: a
            Key: displayName
            [Path: /displayName]
        Member: profileUrl
            [Path with value […]: /profileUrl:data:image/svg+xml,%3Csvg width='100' height='100' viewBox='0 0 100 100' xmlns='http://www.w3.org/2000/svg'%3E%3Cstyle%3E .path%7B%7D %3C/style%3E%3Cg id='male-svg'%3E%3Cpath fill='%23556080' d='M1 92.84V]
            [Member with value […]: profileUrl:data:image/svg+xml,%3Csvg width='100' height='100' viewBox='0 0 100 100' xmlns='http://www.w3.org/2000/svg'%3E%3Cstyle%3E .path%7B%7D %3C/style%3E%3Cg id='male-svg'%3E%3Cpath fill='%23556080' d='M1 92.84]
            String value […]: data:image/svg+xml,%3Csvg width='100' height='100' viewBox='0 0 100 100' xmlns='http://www.w3.org/2000/svg'%3E%3Cstyle%3E .path%7B%7D %3C/style%3E%3Cg id='male-svg'%3E%3Cpath fill='%23556080' d='M1 92.84V84.14C1 84.14 2
            Key: profileUrl
            [Path: /profileUrl]
        Member: roles
            Array
                [Path with value: /roles/[]:Terminal]
                [Member with value: []:Terminal]
                String value: Terminal
            Key: roles
            [Path: /roles]
6

And the RefreshToken Request?

7

I don’t have that request in wireshark log.
I’m not calling any kind of refreshtoken, either on web client or flutter/dart client.

On web client (developer tools) i was refreshing users from db and token has expired between second and third request, and i logged it in GetUserSessionAsync method on server but there were no additional requests:

image_2025-04-02_142639257
image_2025-04-02_142639257917×156 5.72 KB

Server:

image
image704×133 23.6 KB

image

Same goes with flutter/dart, i see no additional requests in wireshark.

Subsequent request calls from web app do not trigger GetUserSessionAsync for another minute, whilst on flutter/dart client it is triggered with every request after first minute.

8

What are the HTTP Headers for this request?

9

Sorry for late response, time difference kicked in. Here is the request:

Frame 59: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface \Device\NPF_{D6CED58A-3C89-49D9-92A2-E214B2808D6D}, id 0
Ethernet II, Src: LongcheerTel_f5:86:69 (0c:25:76:f5:86:69), Dst: ASUSTekCOMPU_65:b3:d4 (60:cf:84:65:b3:d4)
Internet Protocol Version 4, Src: 10.10.10.104, Dst: 10.10.10.109
Transmission Control Protocol, Src Port: 34250, Dst Port: 5002, Seq: 785, Ack: 1, Len: 2
[2 Reassembled TCP Segments (786 bytes): #58(784), #59(2)]
Hypertext Transfer Protocol
    POST /api/GroupVerificationOfMultipleSeals HTTP/1.1\r\n
        Request Method: POST
        Request URI: /api/GroupVerificationOfMultipleSeals
        Request Version: HTTP/1.1
    user-agent: Dart/3.7 (dart:io)\r\n
    accept: application/json\r\n
    accept-encoding: gzip\r\n
     […]cookie: ss-id=DRbYMKX9ObrhVCpEAUIa; ss-pid=UsGDUHWmf56EmQiWnW22; ss-opt=temp; ss-tok=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6Im9wViJ9.eyJzdWIiOjMsImlhdCI6MTc0MzY1OTQ1OSwiZXhwIjoxNzQzNjU5NTE5LCJuYW1lIjoiQUxFS1NBTkRBUiBWVUpDSUMiLCJ
        Cookie pair: ss-id=DRbYMKX9ObrhVCpEAUIa
        Cookie pair: ss-pid=UsGDUHWmf56EmQiWnW22
        Cookie pair: ss-opt=temp
        Cookie pair […]: ss-tok=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6Im9wViJ9.eyJzdWIiOjMsImlhdCI6MTc0MzY1OTQ1OSwiZXhwIjoxNzQzNjU5NTE5LCJuYW1lIjoiQUxFS1NBTkRBUiBWVUpDSUMiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhIiwicm9sZXMiOlsiVGVybWluYWwiXSwianRp
        Cookie pair: ss-reftok=eyJ0eXAiOiJKV1RSIiwiYWxnIjoiSFMyNTYiLCJraWQiOiJvcFYifQ.eyJzdWIiOjMsImlhdCI6MTc0MzY1OTQ1OSwiZXhwIjozMzIwNDU5NDU5LCJqdGkiOi0xfQ.ONIzVjfQBiSfduLORMZT7vciXgW5XjidGNezJCpLCDg
    content-length: 2\r\n
        [Content length: 2]
    host: 10.10.10.109:5002\r\n
    content-type: application/json; charset=utf-8\r\n
    \r\n
    [Response in frame: 69]
    [Full request URI: http://10.10.10.109:5002/api/GroupVerificationOfMultipleSeals]
    File Data: 2 bytes
JavaScript Object Notation: application/json
    Object
10

Can you reply with the Raw plain-text HTTP Request and Response Headers? I can’t distinguish between the Request or Response Headers here. This looks like it might be just the Request Headers, but can’t tell because of the weird duplicating/formatting.

11

Request:

Hypertext Transfer Protocol
    POST /api/GroupVerificationOfMultipleSeals HTTP/1.1\r\n
        Request Method: POST
        Request URI: /api/GroupVerificationOfMultipleSeals
        Request Version: HTTP/1.1
    user-agent: Dart/3.7 (dart:io)\r\n
    accept: application/json\r\n
    accept-encoding: gzip\r\n
     […]cookie: ss-id=DRbYMKX9ObrhVCpEAUIa; ss-pid=UsGDUHWmf56EmQiWnW22; ss-opt=temp; ss-tok=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6Im9wViJ9.eyJzdWIiOjMsImlhdCI6MTc0MzY1OTQ1OSwiZXhwIjoxNzQzNjU5NTE5LCJuYW1lIjoiQUxFS1NBTkRBUiBWVUpDSUMiLCJ
        Cookie pair: ss-id=DRbYMKX9ObrhVCpEAUIa
        Cookie pair: ss-pid=UsGDUHWmf56EmQiWnW22
        Cookie pair: ss-opt=temp
        Cookie pair […]: ss-tok=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6Im9wViJ9.eyJzdWIiOjMsImlhdCI6MTc0MzY1OTQ1OSwiZXhwIjoxNzQzNjU5NTE5LCJuYW1lIjoiQUxFS1NBTkRBUiBWVUpDSUMiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhIiwicm9sZXMiOlsiVGVybWluYWwiXSwianRp
        Cookie pair: ss-reftok=eyJ0eXAiOiJKV1RSIiwiYWxnIjoiSFMyNTYiLCJraWQiOiJvcFYifQ.eyJzdWIiOjMsImlhdCI6MTc0MzY1OTQ1OSwiZXhwIjozMzIwNDU5NDU5LCJqdGkiOi0xfQ.ONIzVjfQBiSfduLORMZT7vciXgW5XjidGNezJCpLCDg
    content-length: 2\r\n
        [Content length: 2]
    host: 10.10.10.109:5002\r\n
    content-type: application/json; charset=utf-8\r\n
    \r\n
    [Response in frame: 72]
    [Full request URI: http://10.10.10.109:5002/api/GroupVerificationOfMultipleSeals]
    File Data: 2 bytes
JavaScript Object Notation: application/json
    Object

Response:

Hypertext Transfer Protocol, has 2 chunks (including last chunk)
    HTTP/1.1 400 ArgumentException\r\n
        Response Version: HTTP/1.1
        Status Code: 400
        [Status Code Description: Bad Request]
        Response Phrase: ArgumentException
    Content-Type: application/json; charset=utf-8\r\n
    Date: Thu, 03 Apr 2025 06:04:29 GMT\r\n
    Server: Kestrel\r\n
    Access-Control-Allow-Credentials: true\r\n
    Access-Control-Allow-Headers: Content-Type\r\n
    Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD\r\n
    Access-Control-Max-Age: 600\r\n
    Set-Cookie: ss-tok=; expires=Wed, 02 Apr 2025 06:04:29 GMT; path=/; samesite=strict; httponly\r\n
     […]Set-Cookie: ss-tok=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6Im9wViJ9.eyJzdWIiOjMsImlhdCI6MTc0MzY2MDI2OSwiZXhwIjoxNzQzNjYwMzI5LCJuYW1lIjoiQUxFS1NBTkRBUiBWVUpDSUMiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhIiwicm9sZXMiOlsiVGVybWluYWwiXSwianRpI
    Transfer-Encoding: chunked\r\n
    Vary: Accept\r\n
    \r\n
    [Request in frame: 61]
    [Time since request: 0.089596000 seconds]
    [Request URI: /api/GroupVerificationOfMultipleSeals]
    [Full request URI: http://10.10.10.109:5002/api/GroupVerificationOfMultipleSeals]
    HTTP chunked response
        Data chunk (682 octets)
            Chunk size: 682 octets
            Chunk data […]: 7b22726573706f6e7365537461747573223a7b226572726f72436f6465223a22417267756d656e74457863657074696f6e222c226d657373616765223a224e656d61206e69206a65646e65207a6174766f726e696365207a61207665726966696b6163696a75222c22737461636b5
            Chunk boundary: 0d0a
        End of chunked encoding
            Chunk size: 0 octets
        \r\n
    File Data: 682 bytes
JavaScript Object Notation: application/json
    Object
        Member: responseStatus
          > Object
            Key: responseStatus
            [Path: /responseStatus]

Is this format ok? Maybe I’m doing something wrong since I’m not too familiar with wireshark.

Im testing on request which returns argument exception from service, but problem appears before service is reached.

12

This looks like it’s working as intended, it’s making a request with an expired JWT + Refresh Token, the request is processed and the Refresh Token is used to generate and return a new JWT with a different expiry date.

It’s only returning with a 400 Bad Request response because the request was invalid.

FYI you can get the raw HTTP in WireShark with Follow TCP Stream

13

Behavior I’m detecting is as if Flutter/DART client is not using new bearer token in subsequential requests but uses old one and because of that is triggering GetUserSessionAsync on every request after initital token expires.

My guess is that there is some glitch in DART client because web (js) client is behaving as expected on same api.

14

It ignores merging cookies on failed responses like this one. Does successful (i.e. 200) responses update the cookie on subsequent requests?

15

When I’m responding with 200 (tried with 204) it does not trigger GetUserSessionAsync after that.

Is this expected behavior?

16

GetUserSessionAsync() does not exist in the ServiceStack Dart client, that’s something your App is doing.

17

Maybe I should rephrase.
When service returns HTTP status class 200, DART client merge/update cookie. Method GetUserSessionAsync (implementing IUserSessionSourceAsync) is on server side and it is this method in which I’ve detected that my DB is being hitted with additional checks (is user deactivated in meantime etc) after token expiration.

When I return 400 from service, DART client does not update token and it will use expired one for all subsequential requests (and hit DB checks) as long as service returns non 200 class response.

Does it make sense that even if service returned non 200 class response, DART client should use newly received cookie because client has authenticated/authorized, even if service is returning error because of (maybe) some invalid input values?

18

That’s the current behavior of the client. You should expect a lot more overhead with such a low token expiry.

19

Ok, thank you.
I was puzzled because i had inconsistent behavior between 200 and 400 class answers, now it’s clear how it works.

Idea for such short expiry was to deactivate user as fast as possible when admin deactivates it.
Is there a way to immediatelly invalidate specific jwt token? Or at least to invalidate all tokens? I could not find one.

20

You can’t invalidate issued JWT tokens since you’re not maintaining records of which generated JWTs were issued, if you did you could implement a filter of invalidated tokens.

Best you can do is add a global request filter that inspects the JWT and check if the User is locked and return a forbidden response, but if you’re going to hit the db to check if a user is valid then there’s not really a point into using stateless JWTs.