Possibility to define additional identity fields for easy token revocation / logout

Question

Possibility to define additional identity fields for easy token revocation / logout

Ninos opened this issue 2 years ago · 0 comments

Would be awesome to get the possibility to define additional identity fields in lexik_jwt_authentication.yaml, e.g. something like that:

lexik_jwt_authentication:
    secret_key: '%env(resolve:JWT_SECRET_KEY)%'
    public_key: '%env(resolve:JWT_PUBLIC_KEY)%'
    pass_phrase: '%env(JWT_PASSPHRASE)%'
    additional_identity_fields: [password, updatedAt, tokenSalt]

After changing password/updatedAt/tokenSalt the tokens get invalid -> revocation solved.

May it's not the best idea to send the hashed password in the token payload (such information can still be used for attacks), but we can harden it a bit up, e.g. by creating a hash over all configured identity fields (more defined fields -> better salt).
Example configuration:

lexik_jwt_authentication:
    secret_key: '%env(resolve:JWT_SECRET_KEY)%'
    public_key: '%env(resolve:JWT_PUBLIC_KEY)%'
    pass_phrase: '%env(JWT_PASSPHRASE)%'
    additional_identity_fields: [password, updatedAt, tokenSalt]
    additional_identity_hash: true

or just hashing by default...

I think this is the easiest way to revoke exposed tokens. Currently we can also use iat for expiration check (increase date of a field e.g. tokenValidSince and check against iat, but an automatic way implemented into core would be awesome.. :-)