Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token Invalidation #5

Open
Tracked by #1
sam-lippert opened this issue Oct 12, 2022 · 1 comment
Open
Tracked by #1

Token Invalidation #5

sam-lippert opened this issue Oct 12, 2022 · 1 comment

Comments

@sam-lippert
Copy link
Contributor

sam-lippert commented Oct 12, 2022
edited
Loading

From @nathanclevenger:

We would need to create a list of invalidated token IDs ... and for performance we wouldn't want to wait for those to come through, although they could be in a env variable or fetched after validation (so potentially the initial request of a given worker could be allowed as to not have to await the result list).

From https://blog.indrek.io/articles/invalidate-jwt/:

When the server receives a logout request, take the JWT from the request and store it in an in-memory database. For each authenticated request you would need to check your in-memory database to see if the token has been invalidated. To keep the search space small, you could remove tokens from the blacklist which have already expired.
@sam-lippert sam-lippert mentioned this issue Oct 12, 2022
Closed
@sam-lippert
Copy link
Contributor Author

sam-lippert commented Oct 17, 2022
edited
Loading

  • /logout adds token to invalidated list with TTL
  • Retrieve invalidated token list asynchronously

@nathanclevenger nathanclevenger mentioned this issue Nov 30, 2022
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sam-lippert