JwtAuthProvider JwtFilters.TokenToSession

I use the JwtAuthProvider and stores tokens in sessions.
I want to invalidate all tokens to have the users to login again.
How can i do that?

Im running a web app in azure and have tried to restart and stop and start the application without success.

Regards Kristian

You must mean Cookies, JWT’s are entirely stateless meaning they are not stored on the server anywhere, their state is only held by the client. Due to their stateless nature they normally cannot be revoked, i.e. they’re self-signed and valid for the expiration embedded in the JWT Token. The normal way to control authorization is to have a short-lived JWT Token and long-lived Refresh Token so when the client fetches a new JWT Token using the Refresh Token the server can invalidate their access then (i.e. by not issuing a new JWT Bearer Token).

Having said that the JwtAuthProvider includes an InvalidateTokensIssuedBefore property you can use to invalidate all JWT Tokens issued before a specific date. Another way to invalidate or all previously issued JWT tokens is to just change the Auth Key the JWT AuthProvider was configured with that it uses to sign previous tokens so that they’ll no longer validate. But you shouldn’t rely on being able to invalidate tokens and should isntead design your Applications so that they honor the Expiry Times embedded in JWT’s (configurable with ExpireTokensIn) and use RefreshTokens to control User Authorization.

1 Like

Thx for your clarification