0

I don't know how to narrow down this question further: We are using Auth0 and WebApi 2. I need to display a list of all users who are currently logged in. More specifically, Auth0 issues a token, this token is then sent with every request to our WebApi. I imagine, I need to write the token and the associated id to the database every time a request is made to any controller with the specific token? Can someone give me a general idea of whether or not I am on the right path here or what I should be reading?

Auth0 docs are of little help, since this seems to be an unusual requirement. Same with: http://www.asp.net/web-api/overview/security

I am not concerned about clientside. Just need the way to go on the server.

Edit: I added another part to this question in the comments: I would also like to know how to revoke tokens, effective immediately. To understand this, I believe I need to understand exactly how the backend verifies the token sent by the front end, and whether or not Auth0's server gets called for this at all.

4

1 回答 1

4

我是 Auth0 的开发者倡导者。让我看看我是否可以帮助你:)。

拥有一个只检查 JWT 的 API 的整个想法是拥有一个无状态 API。“登录”在概念上并不真正存在。所有 JWT 都会在某个时间点过期,这就是您调用 API 时检查的内容。

因此,我的建议如下:

每次收到 API 调用时,都会将 JWT 保存在内存中的某个位置。然后,我们需要获取已登录的用户,您只需获取这些列表中的所有 JWT,并将未过期的显示为“已登录”。此外,您应该有一个每 5 分钟在列表中运行一次的 cron,它会清除过期的 JWT。它并不是真正“登录”的用户,但我认为它已经足够接近了。

那行得通吗?

谢谢

于 2015-05-12T21:19:58.043 回答