I’m excited to announce the release of "LiveAuth" — an extension for ASP.NET Core that solves one of the most common limitations of JWT authentication: lack of real-time control over active sessions.
JWT is widely used because it is stateless and scalable. However, this design also introduces several practical challenges in real systems.
Once a JWT is issued, it cannot easily:
• be revoked immediately
• reflect role changes in real time
• support forced logout
• enforce true session control
In many production environments, this leads to difficult trade-offs between security and simplicity.
"LiveAuth" addresses this problem by introducing dynamic session validation on top of existing JWT authentication, without replacing the authentication pipeline.
Instead of modifying the authentication scheme, LiveAuth integrates with the OnTokenValidated hook of JwtBearer authentication. Every request is validated against a central session store, allowing the application to enforce real-time session state.
Key capabilities include:
• Immediate session revocation
• Version-based token invalidation
• Optional real-time role override
• Compatibility with standard ASP.NET Core JWT authentication
• No custom authentication handler required
• Works with Redis, SQL, or any session store
With this approach, applications can maintain the scalability of JWT while gaining centralized control over active sessions.
To demonstrate this concept, I also built a sample implementation that enforces a Role revocation in a Web API.
Without server-side validation:
- User logs in → JWT issued
- User becomes idle
- JWT remains valid
- Access still granted
With LiveAuth + server session validation:
- User logs in
- User becomes idle
- Session expires
- Next request → Unauthorized
This shows how LiveAuth enables real-time session enforcement while still using JWT.
This example highlights the real-world limitation of stateless JWT tokens and shows how LiveAuth can be used to enforce dynamic session policies.
Architecture:
GitHub Repository
https://github.com/ksamhere/LiveAuth
NuGet Package
https://www.nuget.org/packages/LiveAuth
The project is open source and released under the MIT license.
I built this as part of exploring practical solutions to real authentication challenges in distributed systems, and I hope it helps developers who face similar issues when working with JWT.
Feedback, suggestions, and contributions are welcome.
Top comments (0)