Jwt-auth: [Suggestion] Remove token

If you're referring to invalidating the token, then this is coming as part of the 0.4 release I am currently working on over on the develop branch.

I intend to provide the ability to refresh expired tokens and invalidate tokens by adding them to a redis driven blacklist.

Thanks!

Great!

Any news on this? How would you do to invalidate tokens right now? Like on a logout, you want to remove the token for example. Are the tokens stored anyway btw?

You can now invalidate tokens via using the invalidate() method. E.g.

JWTAuth::setToken('too.bar.baz')->invalidate();

This will add the token to a laravel cache driven blacklist until it has expired - when it will be purged automatically.

I'm almost done with the new docs writeup.. So watch out for that.

Oh ok. invalidate doesn't seem to work. Is there a new version? So, the tokens are stored in a laravel cache somehow? I was trying to find out where they are stored but no success so far.

I am referring to versions 0.4 (for laravel 4) and 0.5 (for laravel 5)

Out of the box, the default storage provider for blacklisted tokens uses laravel's cache system - see here.
But any key/value store will do. You can simply point the config option to your new class that implements the StorageInterface

Hope that helps :)

Yes, it does. But this is for blacklisted tokens only, or the tokens in general? That would be great to include it in the documentation.

Also, invalidate is still not working, are you going to release a new version soon, or it is probably me not doing the right thing?

$token = JWTAuth::getToken();
if ($token) {
    JWTAuth::setToken($token)->invalidate();
}

invalidate is not a function.

Tokens are only stored in the blacklist, if they have been previously invalidated. I will try to make that clear in the docs.

Could you confirm what version you are using ?

version: "tymon/jwt-auth": "0.3.*"
But what about the non-blacklisted tokens, the active ones, where do you store them? Sorry if it is a stupid question.

Got it.
Thanks! I was just confused about the fact we don't store the token
anywhere. We just check against the token, and verify the credentials by
decoding the token.
Thanks, will upgrade then.

On Fri, Feb 27, 2015 at 8:23 AM, Sean Tymon [email protected]
wrote:

You will need to upgrade to version 0.4 (for Laravel 4) and 0.5 (for
Laravel 5) as I only introduced the token blacklisting in the these
versions and the invalidate() method indeed does not exist in 0.3.

I will try and illustrate the flow below

• Client sends login credentials to jwt api.
• If credentials are good, then api responds with the jwt (it is not
  stored anywhere, just sent to the client)
• Client then stores the token in localStorage for example, and uses
  this to make authenticated requests

—
Reply to this email directly or view it on GitHub
https://github.com/tymondesigns/jwt-auth/issues/18#issuecomment-76422104
.

Jérémy Dagorn
www.jeremydagorn.com

Android apps I developed:
https://play.google.com/store/apps/developer?id=JumyApps

You will need to upgrade to version 0.4 (for Laravel 4) and 0.5 (for Laravel 5) as I only introduced the token blacklisting in the these versions and the invalidate() method indeed does not exist in 0.3.

I will try and illustrate the flow here

• Client sends login credentials to jwt api.
• If credentials are good, then api responds with the jwt (it is not stored anywhere, just sent to the client)
• Client then stores the token in localStorage for example, and uses this to make further authenticated requests.
• The api verifies this token and pulls out the user from the subject claim (part of the decoded token) and continues with the request.

Sorry my post got cut off.. accidently hit return on the comment button and had to remove temporarily

Just one more thing, upgrading seems to cause some issues. Do you have an
updated readme for migrating to 0.4?

PHP Fatal error: Class 'Tymon\JWTAuth\JWTAuthServiceProvider' not found in
/home/vagrant/pocketderm.dev/PocketDerm/vendor/laravel/framework/src/Illuminate/Foundation/ProviderRepository.php
on line 157

On Fri, Feb 27, 2015 at 8:28 AM, Sean Tymon [email protected]
wrote:

Sorry my post got cut off.. accidently hit return on the comment button

—
Reply to this email directly or view it on GitHub
https://github.com/tymondesigns/jwt-auth/issues/18#issuecomment-76423038
.

Jérémy Dagorn
www.jeremydagorn.com

Android apps I developed:
https://play.google.com/store/apps/developer?id=JumyApps

I don't have an upgrade guide at the moment i'm afraid, but don't think there are many breaking changes
The new path for the ServiceProvider is

'Tymon\JWTAuth\Providers\JWTAuthServiceProvider'

And the login() method is now authenticate().

Also you will need to republish the package config using the following command:

php artisan config:publish tymon/jwt-auth

Thanks! It works.

On Fri, Feb 27, 2015 at 8:58 AM, Sean Tymon [email protected]
wrote:

I don't have an upgrade at the moment i'm afraid, but don't think there
are many breaking changes
The new path for the ServiceProvider is

'Tymon\JWTAuth\Providers\JWTAuthServiceProvider'

And the login() method is now authenticate().

Also you will need to republish the package config using the following
command:

php artisan config:publish tymon/jwt-auth

—
Reply to this email directly or view it on GitHub
https://github.com/tymondesigns/jwt-auth/issues/18#issuecomment-76428664
.

Jérémy Dagorn
www.jeremydagorn.com

Android apps I developed:
https://play.google.com/store/apps/developer?id=JumyApps

Hi,

Does this
https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
apply for jwt-auth?

Cheers,
Jeremy

On Fri, Feb 27, 2015 at 9:06 AM, Jeremy Dagorn jeremy.[email protected]
wrote:

Thanks! It works.

On Fri, Feb 27, 2015 at 8:58 AM, Sean Tymon [email protected]
wrote:

I don't have an upgrade at the moment i'm afraid, but don't think there
are many breaking changes
The new path for the ServiceProvider is

'Tymon\JWTAuth\Providers\JWTAuthServiceProvider'

And the login() method is now authenticate().

Also you will need to republish the package config using the following
command:

php artisan config:publish tymon/jwt-auth

—
Reply to this email directly or view it on GitHub
https://github.com/tymondesigns/jwt-auth/issues/18#issuecomment-76428664
.

Jérémy Dagorn
www.jeremydagorn.com

Android apps I developed:
https://play.google.com/store/apps/developer?id=JumyApps

Jérémy Dagorn
www.jeremydagorn.com

Android apps I developed:
https://play.google.com/store/apps/developer?id=JumyApps

Hi Jeremy,

Yea it does (good find), since I am using namshi/jose

I will get a patch release out asap

Thanks

Thanks a lot for answering.!
On Apr 2, 2015 12:57 AM, "Sean Tymon" [email protected] wrote:

Hi Jeremy,

Yea it does, since I am using namshi/jose

I will get a patch release out asap

Thanks

—
Reply to this email directly or view it on GitHub
https://github.com/tymondesigns/jwt-auth/issues/18#issuecomment-88806719
.

When the token is decoded on each request I noticed that the base Auth of Laravel is set with the information so we can keep using Auth::user() etc, but it doesn't appear that Auth::logout() invalidates the token. Would this be a useful feature request that Auth::logout() invalidated the token?

I want to invalidate all the tokens assigned to a particular user on re-login.

How can we do it?

@mtpultz Not a good idea I'm afraid.

Most of laravel's auth system assumes session/cookie based authentication. So it wouldn't work.

@SnehalAmbab there is no concept of tokens assigned to a user; meaning they are not stored anywhere. Hence the term stateless authentication

@tymondesigns how to enable token blacklist?

and I also have other question that how can I refresh token?