Sorry for my bad English. I’m writing an application in ASP.NET Core using Vue.JS for client-side. For authenticate user I’m using JWT and ASP.NET Identity. there is a method for change the password. But I can’t understand: How to invalide token after password change? that the user authenticated in another browser will logout after that. Is there a man who haved a problem like this?
You normally don’t invalidate JWT’s because they are meant to be short-lived access tokens and therefore after the password change, request for new token will prompt the user to reenter credentials.
If you do absolutely need to invalidate the JWT immediatelly after password change - you need to look into Introspection where the backend api essentially has a backchannel to the token issuer and it can then re-validate token every request. This way if you invalidate token at the issuer side - it will reflect on the api side immediately.