Invalidation / Blacklist a token
cedriclombardot opened this issue · 3 comments
cedriclombardot commented
Hi,
I've not found in documentation, how to invalidate a JWT token, what is the good process method ?
Found issues about token_blacklist.* but not found in code and not understand the good way
Thanks in advance
cedriclombardot commented
Hi here ? Have u got an idea ? @chalasr is it a missing feature, if true perhaps can i propose an implementation !?
chalasr commented
Hi @cedriclombardot,
Thanks for this and apologies for the late reply, my OSS time is very limited lately.
I want this to happen 👍 So a pull request would be much appreciated.
Here are some insights about what such an implementation should look like from my POV:
- This feature must be opt-in
- Tokens should be given a jti claim whose value should be the only thing persisted: if the feature is enabled and a token's jti exists in the blocklist then that token must be rejected.
- Feature detection should not be only based on the presence of the jti, as it mght break existing code that relies on this claim today.
- The blacklist term should be avoided, alternative such as blocklist should be preferred :)
- We will probably need a simple abstraction for the blocklist storage. A very limited set of built-in implementations should be provided, not necessarily as part of the first iteration (i.e. it can wait til another PR).
Please let me know if you're still wiling to work on this. Anyway, happy to know your thoughts on the above proposal