Handling user lockout / revoking authorization using JWT token in .net core

Lawson Borges
By -Lawson Borges
January 18, 2024
0

Handling user lockout / revoking authorization using JWT token in .net core

Handling user lockout and revoking authorization in a .NET Core application using JWT (JSON Web Tokens) involves implementing some additional logic in your authentication and authorization processes. Below, I'll provide a general guide on how you can achieve this. Please note that this is a conceptual guide, and you might need to adapt the code to fit your specific application architecture and requirements.

JWT LockOut

User Lockout:

  • Enhance User Model: 
Add a property to your user model to track the lockout status and potentially a lockout end date.
  1. public class ApplicationUser : IdentityUser  
  2. {  
  3.     // Other properties  
  4.   
  5.     public bool IsLockedOut { get; set; }  
  6.     public DateTime? LockoutEndDateUtc { get; set; }  
  7. }  

 

Lockout Logic:
Implement logic in your authentication process to check if a user is locked out before generating a JWT.
  1. var user = await userManager.FindByNameAsync(username);

  3.             if (user != null && !user.IsLockedOut)
  4.             {
  5.                 // Validate password, etc.

  7.                 // If successful, generate JWT
  8.             }
  9.             else if (user != null && user.IsLockedOut)
  10.             {
  11.                 // Handle locked-out user (e.g., return an error)
  12.             }

 

  • Lockout Policy: 

Configure lockout policy in your Startup.cs or IdentityConfig.cs. 


  1. services.Configure<IdentityOptions>(options =>  
  2. {  
  3.     options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(30);  
  4.     options.Lockout.MaxFailedAccessAttempts = 5;  
  5. });  

Revoking Authorization:

  • Token Blacklisting:

Maintain a blacklist of tokens that have been revoked. This could be stored in a database or an in-memory cache.

  1. // Example using an in-memory cache  
  2. public class TokenBlacklistService  
  3. {  
  4.     private readonly IMemoryCache _cache;  
  5.   
  6.     public TokenBlacklistService(IMemoryCache cache)  
  7.     {  
  8.         _cache = cache;  
  9.     }  
  10.   
  11.     public void AddToBlacklist(string token, TimeSpan expiration)  
  12.     {  
  13.         _cache.Set(token, true, expiration);  
  14.     }  
  15.   
  16.     public bool IsTokenBlacklisted(string token)  
  17.     {  
  18.         return _cache.TryGetValue(token, out _);  
  19.     }  
  20. }  


  •  Check Token Validity:

Before processing a request with a JWT, check if the token is blacklisted. 
  1. var token = // Get token from request header or cookie  
  2.   
  3. if (!tokenBlacklistService.IsTokenBlacklisted(token))  
  4. {  
  5.     // Process the request  
  6. }  
  7. else  
  8. {  
  9.     // Token is blacklisted, handle accordingly (e.g., return unauthorized)  
  10. }  

  • Revoking Tokens:
When you need to revoke a user's authorization, add their token to the blacklist.
  1. var token = // Get token to revoke  
  2.   
  3. tokenBlacklistService.AddToBlacklist(token, TimeSpan.FromDays(1));  

 

Tags:

You Might Like

Show more
JWT Token

Post a Comment

0Comments

Post a Comment (0)
Share to other apps
Copy Post Link