question. How do I invalidate an existing token?

Question

question. How do I invalidate an existing token?

SanderElias opened this issue 9 years ago · 7 comments

I'm in the situation that I need a way to invalidate an existing token.
Once a token is invalidated, it should not be possible to auth with it anymore. I could not find a way do do this. did I miss something, or is this not supported yet?

Answer 1 · 2015-12-02T05:47:24.000Z

@SanderElias Here are some resources on how to invalidate a jwt token:

http://stackoverflow.com/questions/21978658/invalidating-json-web-tokens
http://www.kdelemme.com/2014/05/12/use-redis-to-revoke-tokens-generated-from-jsonwebtoken/

The easiest way is to just remove the token from the client. If you're worried about security, you'll need to implement a more advanced security system.

Answer 2 · 2015-12-02T06:07:19.000Z

@eventhough I knew about that.
But I hoped there would be at least some helpers inside hapi-auth-jwt2, to easy this system.

For example, if there would be a md5-hash(or other identifier) of the token would be available somewhere in the request, it would make things a lot simpler.

For now, this is single server, so i could keep an array of invalid tokens, along with their expiry times, in memory.
When scaling up, putting it in redis makes sense, but actually any DB would do. As this data-set would be very tiny. (invalidated && not expired)

Answer 3 · 2015-12-02T17:34:39.000Z

@SanderElias If you need some kind of token identifier, you could probably use iat the "issued at" timestamp. For each token the combination of a user id + iat would very likely be unique.

Answer 4 · 2015-12-02T18:05:19.000Z

Maybe take a look at the "jti" property of the jwt

Answer 5 · 2015-12-02T18:32:57.000Z

@vdeturckheim great recommendation! @SanderElias it looks like you will have to add jti to the payload object when the token is issued. Currently there is no direct support of jti in jsonwebtoken: auth0/node-jsonwebtoken#104 But it looks like they are considering adding it as a library option.

Answer 6 · 2015-12-21T18:14:36.000Z

@SanderElias we store our JWT-based sessions in a Redis datastore and lookup the session for the given JWT during the validateFunc (validation function) see: https://github.com/dwyl/hapi-auth-jwt2-example/blob/791b0d3906d4deb256daf23fcf8f5021905abe9e/index.js#L25
This means we can invalidate the session in Redis and then reject a request that uses an "old" or invalid JWT. see: https://github.com/dwyl/hapi-auth-jwt2-example/blob/791b0d3906d4deb256daf23fcf8f5021905abe9e/index.js#L25
How did you decide to do it?

Answer 7 · 2015-12-22T10:06:15.000Z

@SanderElias please let us know if you still need further clarification on this. otherwise can we close the issue? thanks. 👍