Handle remember me using JWT (setting dynamic expiration time)

[MPannier]

Hello, is there a way to handle "remember me" with JWT in DMVC Framework? Is it possible to "hook" into the creation of the JWT to set a longer ExpirationTime if the user calls "login" with an additional flag "rememberme": "true" or something like that?

[fastbike]

That would be handled by the Identity Provider ?

[danieleteti]

This is the comment from Facebook Group related to this issue

Hi guys. Currently using the JWT middleware that is not possibile. The change to make it possibile is really easy and I'm planning to do it ASAP without breaking things for the projects already using JWT middleware (retrocompatibility is a must).
Mathias Pannier if you are using 3.2.1-carbon just wait a bit and you can test 3.2.2-nitrogen which will allows such kind (and many other) tweaks for the JWT generation. What you will finally will able to do is something like the code in the image. Will be ready and committed ASAP. Please, fill an issue in github so that we can keep track of it.

We'll use this issue to track changes about this

[danieleteti]

@MPannier please, check the sample \samples\jsonwebtoken\ and let me know if it works for your scenario. Then we can close the issue and this code will be included in the upcoming 3.2.2-nitrogen

[MPannier]

It works for me. I can set an ExpirationTime depending on a given parameter. Thank You.

But I think that is not all. How can we handle a logout? I know it is not really possible with jwt because it is only available on the client side. But if a user login with rememberme and will explicitly logout I would like to add the jwt to some kind of blacklist. And if an attacker has stolen the token, but the user called logout, I will prevent the usage of this jw token.

I think we also need a logout url which we can catch the token and save it. And we also need a procedure/event in the login process to check if the given token is blocked or something else.

[danieleteti]

Nice to know that this fix your issue.
About the "Logout" functionality, usualy this kind of things are handled directly from another middleware which does all the checks. However, no one blocks us to design a mechanism to automate these two events:

• OnInvalidateToken (or OnLogout)
• OnAcceptToken

It is quite simple. I'll think about it ASAP. If you want to contribute, you are welcomed.

[MPannier]

I'm not sure where to add these two new events or to create a new middleware for this kind of functionality. If You think about this topic and will be providing a solution in the near future is quite enough for me.

[danieleteti]

Good, let me think about the architecture from the user POV and I'll back to you with a possibile approach to discuss

[iliauta]

Advantage of JWT is to not keep sessions on the server. Having such middleware will force us to synchronize blacklisted tokens between nodes that is actually similar to keep synchronized sessions.

[danieleteti]

@iliauta this mechanism is a common pattern used with jwt when you need to handle some premature expiration.