JwtRefreshTokenRotation 1.1.0
There is a newer version of this package available.
See the version list below for details.
See the version list below for details.
dotnet add package JwtRefreshTokenRotation --version 1.1.0
NuGet\Install-Package JwtRefreshTokenRotation -Version 1.1.0
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="JwtRefreshTokenRotation" Version="1.1.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
<PackageVersion Include="JwtRefreshTokenRotation" Version="1.1.0" />
<PackageReference Include="JwtRefreshTokenRotation" />
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.
paket add JwtRefreshTokenRotation --version 1.1.0
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
#r "nuget: JwtRefreshTokenRotation, 1.1.0"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
#:package JwtRefreshTokenRotation@1.1.0
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.
#addin nuget:?package=JwtRefreshTokenRotation&version=1.1.0
#tool nuget:?package=JwtRefreshTokenRotation&version=1.1.0
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
JWT Inactivity Middleware π
JWT Inactivity Middleware is a reusable ASP.NET Core package that enforces inactivity thresholds on JWT bearer tokens.
Unlike standard JWT expiration (exp), this middleware tracks last access time in Redis and rejects tokens that exceed a configurable inactivity window.
β¨ Features
- Inactivity threshold enforcement: Reject tokens idle longer than the configured duration.
- Redis-backed tracking: Distributed cache ensures consistency across multiple API instances.
- Sliding expiration: Active tokens remain valid as long as theyβre used within the threshold.
- Configurable options: Set inactivity threshold, Redis connection string, and JWT secret via
JwtTokenRotationOptions. - JWT generator service: Issue tokens with
jticlaim for inactivity tracking.
βοΈ Usage
Register to service
builder.Services.AddJwtTokenRotation(new JwtTokenRotationOptions
{
InactivityThreshold = TimeSpan.FromMinutes(15),
RedisConnectionString = "localhost:6379",
JwtSecret = builder.Configuration["Jwt:Secret"]
});
app.UseJwtTokenRotation();
πBest Practices
Always enforce both absolute expiration (exp) and inactivity threshold.
- Use Redis TTL to auto-clean expired sessions.
- Configure secrets via environment variables or appsettings.json.
- Log jti, user ID, and inactivity rejections for auditing.
- Keep middleware lightweight and stateless aside from Redis.
π― Contributing
Contributions are welcome!
- Fork the repo
- Create a feature branch
- Submit a pull request
- Please ensure all tests pass before submitting.
- For major changes, open an issue first to discuss what youβd like to change.
π Project Structure
JwtTokenMiddleware/
βββ JwtTokenRotationMiddleware.cs # Core middleware logic
βββ JwtTokenRotationOptions.cs # Configurable options
βββ JwtTokenGenerator.cs # Token generator service
βββ JwtTokenRotationExtension.cs # DI + middleware registration
βββ JwtTokenMiddleware.csproj # Library project file
JwtTokenMiddleware.Sample/
βββ Program.cs # Demo API setup
βββ Controllers/AuthController.cs # Example login + token issuance
βββ JwtTokenMiddleware.Sample.csproj
JwtTokenMiddleware.Test/
βββ JwtTokenRotationMiddlewareTests.cs # Unit tests for inactivity logic
βββ JwtTokenMiddleware.Test.csproj
πSequence Diagram
User AuthController JwtTokenGenerator Redis Middleware
| | | | |
|--- Login Request ----->| | | |
| |--- GenerateTokenAsync->| | |
| | |--- Create JWT ----| |
| | |--- Store jti,lastAccess,TTL=TokenExpiration->|
| |<-- JWT Token ----------| | |
|<-- Token Response -----| | | |
| |
|--- API Request -------->------------------------>-------------------|----------------------->|
| | | | |
| | | |--- Get jti,lastAccess->|
| | | |<-- lastAccess,TTL -----|
| | | | |
| | | |--- Compare inactivity--|
| | | |--- If expired -> 401 --|
| | | | |
| | | |--- If valid: update lastAccess, TTL=remainingLifetime->|
| | | | |
|<-- Response (200/401)--| | | |
π Change Log
π·οΈ 1.1.0
- Added auto extend expiration feature.
- When expiration is extended, a new token with an updated jti
should be returned via the 'X-New-Token' response header.
- Delete old jti from Redis when token is regenerated.
- Improved jwt generation by using SecurityTokenDescriptor
rather than JwtSecurityToken.
π·οΈ 1.0.0
- Initial release with core inactivity tracking features.
π¦ Installation
dotnet add package JwtRefreshTokenRotation --version 1.1.0
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.
-
net10.0
- Microsoft.AspNetCore.Authentication.JwtBearer (>= 10.0.1)
- Microsoft.Extensions.Caching.StackExchangeRedis (>= 10.0.1)
- Microsoft.Extensions.Configuration (>= 10.0.1)
- StackExchange.Redis (>= 2.10.1)
- System.IdentityModel.Tokens.Jwt (>= 8.15.0)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.