LiveAuth: Solving JWT Statelessness in ASP.NET Core Applications

LiveAuth - a nuget pkg to liberate your JWT authentication

Karuppasamy Pandian has released LiveAuth, an extension for ASP.NET Core designed to enable real-time control over active JWT sessions. The system integrates with the standard OnTokenValidated hook to validate every request against a central session store like Redis or SQL.

Why This Matters

The technical reality of JWTs is that their stateless design prevents immediate revocation or real-time role updates, often forcing a trade-off between scalability and security. LiveAuth addresses this by introducing dynamic session validation on top of the existing authentication pipeline, allowing systems to maintain stateless scalability while gaining the ability to enforce forced logouts and session expirations.

Key Insights

• Standard JWT tokens cannot be revoked immediately or reflect role changes in real-time once issued (Pandian, 2026).
• LiveAuth utilizes the OnTokenValidated hook in the JwtBearer authentication pipeline to enforce server-side validation.
• The library supports version-based token invalidation to manage credential lifecycles effectively.
• Session state can be stored in any central store, including Redis or SQL, to maintain consistency across distributed systems.
• LiveAuth enables real-time role overrides without requiring a custom authentication handler.

Practical Applications

• Use Case: Immediate role revocation in a Web API where a user’s permissions change while their token is still active. Pitfall: Relying on standard JWT expiration allows unauthorized access until the token naturally expires.
• Use Case: Enforcing idle session timeouts by checking session activity in a central store during every request. Pitfall: Implementing complex custom middleware that bypasses standard ASP.NET Core security patterns.

References:

• https://github.com/ksamhere/LiveAuth
• https://www.nuget.org/packages/LiveAuth