Question about validating JWT


I have the following flow in my app

  1. User authenticates with basecamp OAuth
  2. Access & Refresh token stored in backend database
  3. JWT access token stored in chrome extension data store

The chrome extension uses the JWT token to access my API and my API uses the basecamp access token to perform basecamp account actions on the users behalf.

If I delete the cached session and the user the JWT token will still authenticate and the session will be populated from data stored in the payload.

Does ServiceStack have any mechanism for invalidating a JWT before its expiry other than to change the base64 key and invalidate all token application wide?

If I wanted to add additional checks prior to authenticating like checking for a soft/hard delete or account suspension where would I do it?

The documentation gives example with credentials provider overriding TryAuthenticate() but the JwtAuthProvider doesn’t have this method.

Where do I put additional validity checks for the JWT token?


Yeah here are 3 customizations you can use add to add your own custom validation logic to either JWT Tokens or Refresh Tokens where you can return false to invalidate the Auth Request:

Whilst the InvalidateTokensIssuedBefore lets you invalidate all tokens issued before a specific date without needing to replace the Auth Key.

Thanks Mythz I will check that code